CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38595 – xen: fix UAF in dmabuf_exp_from_pages()
https://notcve.org/view.php?id=CVE-2025-38595
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: xen: fix UAF in dmabuf_exp_from_pages() [dma_buf_fd() fixes; no preferences regarding the tree it goes through - up to xen folks] As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do about it). However, if we follow fd_install() with an... • https://git.kernel.org/stable/c/a240d6e42e28c34fdc34b3a98ca838a31c939901 •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38593 – Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()'
https://notcve.org/view.php?id=CVE-2025-38593
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' Function 'hci_discovery_filter_clear()' frees 'uuids' array and then sets it to NULL. There is a tiny chance of the following race: 'hci_cmd_sync_work()' 'update_passive_scan_sync()' 'hci_update_passive_scan_sync()' 'hci_discovery_filter_clear()' kfree(uuids); <-------------------------preempted--------------------------------> 'start_service_discovery()' 'hci_discovery_... • https://git.kernel.org/stable/c/ad383c2c65a5baf16e334cd40a013cc302176891 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38592 – Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv
https://notcve.org/view.php?id=CVE-2025-38592
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv Currently both dev_coredumpv and skb_put_data in hci_devcd_dump use hdev->dump.head. However, dev_coredumpv can free the buffer. From dev_coredumpm_timeout documentation, which is used by dev_coredumpv: > Creates a new device coredump for the given device. If a previous one hasn't > been read yet, the new coredump is discarded. The data lifetime is determined > by the device cor... • https://git.kernel.org/stable/c/b257e02ecc46f8561d8bd88943164a10c9e90a80 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38591 – bpf: Reject narrower access to pointer ctx fields
https://notcve.org/view.php?id=CVE-2025-38591
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because it doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed and later proceeds to bpf_convert_ctx_access. Note that for the "is_na... • https://git.kernel.org/stable/c/f96da09473b52c09125cc9bf7d7d4576ae8229e0 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38590 – net/mlx5e: Remove skb secpath if xfrm state is not found
https://notcve.org/view.php?id=CVE-2025-38590
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Remove skb secpath if xfrm state is not found Hardware returns a unique identifier for a decrypted packet's xfrm state, this state is looked up in an xarray. However, the state might have been freed by the time of this lookup. Currently, if the state is not found, only a counter is incremented. The secpath (sp) extension on the skb is not removed, resulting in sp->len becoming 0. Subsequently, functions like __xfrm_policy_check()... • https://git.kernel.org/stable/c/b2ac7541e3777f325c49d900550c9e3dd10c0eda •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38589 – neighbour: Fix null-ptr-deref in neigh_flush_dev().
https://notcve.org/view.php?id=CVE-2025-38589
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: neighbour: Fix null-ptr-deref in neigh_flush_dev(). kernel test robot reported null-ptr-deref in neigh_flush_dev(). [0] The cited commit introduced per-netdev neighbour list and converted neigh_flush_dev() to use it instead of the global hash table. One thing we missed is that neigh_table_clear() calls neigh_ifdown() with NULL dev. Let's restore the hash table iteration. Note that IPv6 module is no longer unloadable, so neigh_table_clear() ... • https://git.kernel.org/stable/c/f7f52738637f4361c108cad36e23ee98959a9006 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38588 – ipv6: prevent infinite loop in rt6_nlmsg_size()
https://notcve.org/view.php?id=CVE-2025-38588
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent infinite loop in rt6_nlmsg_size() While testing prior patch, I was able to trigger an infinite loop in rt6_nlmsg_size() in the following place: list_for_each_entry_rcu(sibling, &f6i->fib6_siblings, fib6_siblings) { rt6_nh_nlmsg_size(sibling->fib6_nh, &nexthop_len); } This is because fib6_del_route() and fib6_add_rt2node() uses list_del_rcu(), which can confuse rcu readers, because they might no longer see the head of the list.... • https://git.kernel.org/stable/c/d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38587 – ipv6: fix possible infinite loop in fib6_info_uses_dev()
https://notcve.org/view.php?id=CVE-2025-38587
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible infinite loop in fib6_info_uses_dev() fib6_info_uses_dev() seems to rely on RCU without an explicit protection. Like the prior fix in rt6_nlmsg_size(), we need to make sure fib6_del_route() or fib6_add_rt2node() have not removed the anchor from the list, or we risk an infinite loop. In the Linux kernel, the following vulnerability has been resolved: ipv6: fix possible infinite loop in fib6_info_uses_dev() fib6_info_uses_d... • https://git.kernel.org/stable/c/d0ec61c9f3583b76aebdbb271f5c0d3fcccd48b2 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38586 – bpf, arm64: Fix fp initialization for exception boundary
https://notcve.org/view.php?id=CVE-2025-38586
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Fix fp initialization for exception boundary In the ARM64 BPF JIT when prog->aux->exception_boundary is set for a BPF program, find_used_callee_regs() is not called because for a program acting as exception boundary, all callee saved registers are saved. find_used_callee_regs() sets `ctx->fp_used = true;` when it sees FP being used in any of the instructions. For programs acting as exception boundary, ctx->fp_used remains false ... • https://git.kernel.org/stable/c/5d4fa9ec5643a5c75d3c1e6abf50fb9284caf1ff •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38585 – staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int()
https://notcve.org/view.php?id=CVE-2025-38585
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() When gmin_get_config_var() calls efi.get_variable() and the EFI variable is larger than the expected buffer size, two behaviors combine to create a stack buffer overflow: 1. gmin_get_config_var() does not return the proper error code when efi.get_variable() fails. It returns the stale 'ret' value from earlier operations instead of indicating the EFI failure. 2. When ef... • https://git.kernel.org/stable/c/38d4f74bc14847491d07bd745dc4a2c274f4987d •