CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2025-38064 – virtio: break and reset virtio devices on device_shutdown()
https://notcve.org/view.php?id=CVE-2025-38064
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: virtio: break and reset virtio devices on device_shutdown() Hongyu reported a hang on kexec in a VM. QEMU reported invalid memory accesses during the hang. Invalid read at addr 0x102877002, size 2, region '(null)', reason: rejected Invalid write at addr 0x102877A44, size 2, region '(null)', reason: rejected ... It was traced down to virtio-console. Kexec works fine if virtio-console is not in use. • https://git.kernel.org/stable/c/aee42f3d57bfa37b2716df4584edeecf63b9df4c •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38063 – dm: fix unconditional IO throttle caused by REQ_PREFLUSH
https://notcve.org/view.php?id=CVE-2025-38063
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: dm: fix unconditional IO throttle caused by REQ_PREFLUSH When a bio with REQ_PREFLUSH is submitted to dm, __send_empty_flush() generates a flush_bio with REQ_OP_WRITE | REQ_PREFLUSH | REQ_SYNC, which causes the flush_bio to be throttled by wbt_wait(). An example from v5.4, similar problem also exists in upstream: crash> bt 2091206 PID: 2091206 TASK: ffff2050df92a300 CPU: 109 COMMAND: "kworker/u260:0" #0 [ffff800084a2f7f0] __switch_to at fff... • https://git.kernel.org/stable/c/95d08924335f3b6f4ea0b92ebfe4fe0731c502d9 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38062 – genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie
https://notcve.org/view.php?id=CVE-2025-38062
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie The IOMMU translation for MSI message addresses has been a 2-step process, separated in time: 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI interrupt is allocated. 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a translated message address. This has an inherent lifetime ... • https://git.kernel.org/stable/c/e4d3763223c7b72ded53425207075e7453b4e3d5 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38061 – net: pktgen: fix access outside of user given buffer in pktgen_thread_write()
https://notcve.org/view.php?id=CVE-2025-38061
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will access memory outside of the user given buffer). In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwise strn_len() will... • https://git.kernel.org/stable/c/a3d89f1cfe1e6d4bb164db2595511fd33db21900 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38060 – bpf: copy_verifier_state() should copy 'loop_entry' field
https://notcve.org/view.php?id=CVE-2025-38060
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: copy_verifier_state() should copy 'loop_entry' field The bpf_verifier_state.loop_entry state should be copied by copy_verifier_state(). Otherwise, .loop_entry values from unrelated states would poison env->cur_state. Additionally, env->stack should not contain any states with .loop_entry != NULL. The states in env->stack are yet to be verified, while .loop_entry is set for states that reached an equivalent state. This means that env->c... • https://git.kernel.org/stable/c/46ba5757a7a4714e7d3f68cfe118208822cb3d78 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38059 – btrfs: avoid NULL pointer dereference if no valid csum tree
https://notcve.org/view.php?id=CVE-2025-38059
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid NULL pointer dereference if no valid csum tree [BUG] When trying read-only scrub on a btrfs with rescue=idatacsums mount option, it will crash with the following call trace: BUG: kernel NULL pointer dereference, address: 0000000000000208 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full) Hardware name: QEMU S... • https://git.kernel.org/stable/c/50d0de59f66cbe6d597481e099bf1c70fd07e0a9 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38058 – __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock
https://notcve.org/view.php?id=CVE-2025-38058
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock ... or we risk stealing final mntput from sync umount - raising mnt_count after umount(2) has verified that victim is not busy, but before it has set MNT_SYNC_UMOUNT; in that case __legitimize_mnt() doesn't see that it's safe to quietly undo mnt_count increment and leaves dropping the reference to caller, where it'll be a full-blown mntput(). Check under mount_lock is ... • https://git.kernel.org/stable/c/628fb00195ce21a90cf9e4e3d105cd9e58f77b40 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38057 – espintcp: fix skb leaks
https://notcve.org/view.php?id=CVE-2025-38057
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: espintcp: fix skb leaks A few error paths are missing a kfree_skb. • https://git.kernel.org/stable/c/e27cca96cd68fa2c6814c90f9a1cfd36bb68c593 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38052 – net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done
https://notcve.org/view.php?id=CVE-2025-38052
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in tipc_aead_encrypt_done+0x4bd/0x510 net/tipc/crypto.c:840 Read of size 8 at addr ffff88807a733000 by task kworker/1:0/25 Call Trace: kasan_report+0xd9/0x110 mm/kasan/report.c:601 tipc_aead_encrypt_done+0x4bd/0... • https://git.kernel.org/stable/c/fc1b6d6de2208774efd2a20bf0daddb02d18b1e0 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38051 – smb: client: Fix use-after-free in cifs_fill_dirent
https://notcve.org/view.php?id=CVE-2025-38051
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix use-after-free in cifs_fill_dirent There is a race condition in the readdir concurrency process, which may access the rsp buffer after it has been released, triggering the following KASAN warning. ================================================================== BUG: KASAN: slab-use-after-free in cifs_fill_dirent+0xb03/0xb60 [cifs] Read of size 4 at addr ffff8880099b819c by task a.out/342975 CPU: 2 UID: 0 PID: 342975 Comm:... • https://git.kernel.org/stable/c/a364bc0b37f14ffd66c1f982af42990a9d77fa43 •