CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38075 – scsi: target: iscsi: Fix timeout on deleted connection
https://notcve.org/view.php?id=CVE-2025-38075
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_hand... • https://git.kernel.org/stable/c/571ce6b6f5cbaf7d24af03cad592fc0e2a54de35 •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38074 – vhost-scsi: protect vq->log_used with vq->mutex
https://notcve.org/view.php?id=CVE-2025-38074
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_... • https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38073 – block: fix race between set_blocksize and read paths
https://notcve.org/view.php?id=CVE-2025-38073
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: block: fix race between set_blocksize and read paths With the new large sector size support, it's now the case that set_blocksize can change i_blksize and the folio order in a manner that conflicts with a concurrent reader and causes a kernel crash. Specifically, let's say that udev-worker calls libblkid to detect the labels on a block device. The read call can create an order-0 folio to read the first 4096 bytes from the disk. But then ude... • https://git.kernel.org/stable/c/64f505b08e0cfd8163491c8c082d4f47a88e51d4 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38072 – libnvdimm/labels: Fix divide error in nd_label_data_init()
https://notcve.org/view.php?id=CVE-2025-38072
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: libnvdimm/labels: Fix divide error in nd_label_data_init() If a faulty CXL memory device returns a broken zero LSA size in its memory device information (Identify Memory Device (Opcode 4000h), CXL spec. 3.1, 8.2.9.9.1.1), a divide error occurs in the libnvdimm driver: Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:nd_label_data_init+0x10e/0x800 [libnvdimm] Code and flow: 1) CXL Command 4000h returns LSA size = 0 2) config_size is... • https://git.kernel.org/stable/c/2bd4a938d2eda96ab7288b8fa5aae84a1de8c4ca •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38071 – x86/mm: Check return value from memblock_phys_alloc_range()
https://notcve.org/view.php?id=CVE-2025-38071
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/mm: Check return value from memblock_phys_alloc_range() At least with CONFIG_PHYSICAL_START=0x100000, if there is < 4 MiB of contiguous free memory available at this point, the kernel will crash and burn because memblock_phys_alloc_range() returns 0 on failure, which leads memblock_phys_free() to throw the first 4 MiB of physical memory to the wolves. At a minimum it should fail gracefully with a meaningful diagnostic, but in fact every... • https://git.kernel.org/stable/c/8c18c904d301ffeb33b071eadc55cd6131e1e9be •
CVSS: 5.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38070 – ASoC: sma1307: Add NULL check in sma1307_setting_loaded()
https://notcve.org/view.php?id=CVE-2025-38070
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: Add NULL check in sma1307_setting_loaded() All varibale allocated by kzalloc and devm_kzalloc could be NULL. Multiple pointer checks and their cleanup are added. This issue is found by our static analysis tool In the Linux kernel, the following vulnerability has been resolved: ASoC: sma1307: Add NULL check in sma1307_setting_loaded() All varibale allocated by kzalloc and devm_kzalloc could be NULL. Multiple pointer checks and... • https://git.kernel.org/stable/c/f8434b8ba437d3f6cbcd9ffe8405bd16ed28fc5c •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38069 – PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops
https://notcve.org/view.php?id=CVE-2025-38069
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops Fix a kernel oops found while testing the stm32_pcie Endpoint driver with handling of PERST# deassertion: During EP initialization, pci_epf_test_alloc_space() allocates all BARs, which are further freed if epc_set_bar() fails (for instance, due to no free inbound window). However, when pci_epc_set_bar() fails, the error path: pci_epc_set_bar() -> pci_epf_free_space() do... • https://git.kernel.org/stable/c/fe2329eff5bee461ebcafadb6ca1df0cbf5945fd •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38068 – crypto: lzo - Fix compression buffer overrun
https://notcve.org/view.php?id=CVE-2025-38068
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO never checked for output overruns. It instead assumes that the caller always provides enough buffer space, disregarding the buffer length provided by the caller. Add a safe compression interface that checks for the end of buffer before each write. Use the safe interface in crypto/lzo. In the Linux kernel, the following vulnerability has b... • https://git.kernel.org/stable/c/4b173bb2c4665c23f8fcf5241c7b06dfa6b5b111 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38067 – rseq: Fix segfault on registration when rseq_cs is non-zero
https://notcve.org/view.php?id=CVE-2025-38067
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: rseq: Fix segfault on registration when rseq_cs is non-zero The rseq_cs field is documented as being set to 0 by user-space prior to registration, however this is not currently enforced by the kernel. This can result in a segfault on return to user-space if the value stored in the rseq_cs field doesn't point to a valid struct rseq_cs. The correct solution to this would be to fail the rseq registration when the rseq_cs field is non-zero. How... • https://git.kernel.org/stable/c/2df285dab00fa03a3ef939b6cb0d0d0aeb0791db •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38066 – dm cache: prevent BUG_ON by blocking retries on failed device resumes
https://notcve.org/view.php?id=CVE-2025-38066
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: dm cache: prevent BUG_ON by blocking retries on failed device resumes A cache device failing to resume due to mapping errors should not be retried, as the failure leaves a partially initialized policy object. Repeating the resume operation risks triggering BUG_ON when reloading cache mappings into the incomplete policy object. Reproduce steps: 1. create a cache metadata consisting of 512 or more cache blocks, with some mappings stored in th... • https://git.kernel.org/stable/c/c614584c2a66b538f469089ac089457a34590c14 •