CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38530 – comedi: pcl812: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38530
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: pcl812: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & board->irq_bits) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ wi... • https://git.kernel.org/stable/c/fcdb427bc7cf5e9e5d7280cf09c08dec49b49432 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38529 – comedi: aio_iiro_16: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38529
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: aio_iiro_16: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test. Valid `it->options[1]` values that select the IRQ will b... • https://git.kernel.org/stable/c/ad7a370c8be47247f68f7187cc82f4f25a347116 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38528 – bpf: Reject %p% format string in bprintf-like helpers
https://notcve.org/view.php?id=CVE-2025-38528
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Reject %p% format string in bprintf-like helpers static const char fmt[] = "%p%"; bpf_trace_printk(fmt, sizeof(fmt)); The above BPF program isn't rejected and causes a kernel warning at runtime: Please remove unsupported %\x00 in format string WARNING: CPU: 1 PID: 7244 at lib/vsprintf.c:2680 format_decode+0x49c/0x5d0 This happens because bpf_bprintf_prepare skips over the second %, detected as punctuation, while processing %p. This pat... • https://git.kernel.org/stable/c/48cac3f4a96ddf08df8e53809ed066de0dc93915 •
CVSS: 7.0EPSS: 0%CPEs: 10EXPL: 0CVE-2025-38527 – smb: client: fix use-after-free in cifs_oplock_break
https://notcve.org/view.php?id=CVE-2025-38527
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in cifs_oplock_break A race condition can occur in cifs_oplock_break() leading to a use-after-free of the cinode structure when unmounting: cifs_oplock_break() _cifsFileInfo_put(cfile) cifsFileInfo_put_final() cifs_sb_deactive() [last ref, start releasing sb] kill_sb() kill_anon_super() generic_shutdown_super() evict_inodes() dispose_list() evict() destroy_inode() call_rcu(&inode->i_rcu, i_callback) spin_lock... • https://git.kernel.org/stable/c/b98749cac4a695f084a5ff076f4510b23e353ecd •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38526 – ice: add NULL check in eswitch lag check
https://notcve.org/view.php?id=CVE-2025-38526
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: add NULL check in eswitch lag check The function ice_lag_is_switchdev_running() is being called from outside of the LAG event handler code. This results in the lag->upper_netdev being NULL sometimes. To avoid a NULL-pointer dereference, there needs to be a check before it is dereferenced. In the Linux kernel, the following vulnerability has been resolved: ice: add NULL check in eswitch lag check The function ice_lag_is_switchdev_runnin... • https://git.kernel.org/stable/c/776fe19953b0e0af00399e50fb3b205101d4b3c1 •
CVSS: 4.7EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38524 – rxrpc: Fix recv-recv race of completed call
https://notcve.org/view.php?id=CVE-2025-38524
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recv-recv race of completed call If a call receives an event (such as incoming data), the call gets placed on the socket's queue and a thread in recvmsg can be awakened to go and process it. Once the thread has picked up the call off of the queue, further events will cause it to be requeued, and once the socket lock is dropped (recvmsg uses call->user_mutex to allow the socket to be used in parallel), a second thread can come in ... • https://git.kernel.org/stable/c/248f219cb8bcbfbd7f132752d44afa2df7c241d1 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38523 – cifs: Fix the smbd_response slab to allow usercopy
https://notcve.org/view.php?id=CVE-2025-38523
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: Fix the smbd_response slab to allow usercopy The handling of received data in the smbdirect client code involves using copy_to_iter() to copy data from the smbd_reponse struct's packet trailer to a folioq buffer provided by netfslib that encapsulates a chunk of pagecache. If, however, CONFIG_HARDENED_USERCOPY=y, this will result in the checks then performed in copy_to_iter() oopsing with something like the following: CIFS: Attempting ... • https://git.kernel.org/stable/c/ee4cdf7ba857a894ad1650d6ab77669cbbfa329e •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38521 – drm/imagination: Fix kernel crash when hard resetting the GPU
https://notcve.org/view.php?id=CVE-2025-38521
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/imagination: Fix kernel crash when hard resetting the GPU The GPU hard reset sequence calls pm_runtime_force_suspend() and pm_runtime_force_resume(), which according to their documentation should only be used during system-wide PM transitions to sleep states. The main issue though is that depending on some internal runtime PM state as seen by pm_runtime_force_suspend() (whether the usage count is <= 1), pm_runtime_force_resume() might n... • https://git.kernel.org/stable/c/cc1aeedb98ad347c06ff59e991b2f94dfb4c565d •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38520 – drm/amdkfd: Don't call mmput from MMU notifier callback
https://notcve.org/view.php?id=CVE-2025-38520
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Don't call mmput from MMU notifier callback If the process is exiting, the mmput inside mmu notifier callback from compactd or fork or numa balancing could release the last reference of mm struct to call exit_mmap and free_pgtable, this triggers deadlock with below backtrace. The deadlock will leak kfd process as mmu notifier release is not called and cause VRAM leaking. The fix is to take mm reference mmget_non_zero when adding... • https://git.kernel.org/stable/c/fa582c6f3684ac0098a9d02ddf0ed52a02b37127 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38517 – lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users()
https://notcve.org/view.php?id=CVE-2025-38517
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() alloc_tag_top_users() attempts to lock alloc_tag_cttype->mod_lock even when the alloc_tag_cttype is not allocated because: 1) alloc tagging is disabled because mem profiling is disabled (!alloc_tag_cttype) 2) alloc tagging is enabled, but not yet initialized (!alloc_tag_cttype) 3) alloc tagging is enabled, but failed initialization (!alloc_tag_cttype or IS_ERR(alloc_ta... • https://git.kernel.org/stable/c/1438d349d16b78d88f9e978a4a5496f078c8191b •