CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-37906 – ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd
https://notcve.org/view.php?id=CVE-2025-37906
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd ublk_cancel_cmd() calls io_uring_cmd_done() to complete uring_cmd, but we may have scheduled task work via io_uring_cmd_complete_in_task() for dispatching request, then kernel crash can be triggered. Fix it by not trying to canceling the command if ublk block request is started. In the Linux kernel, the following vulnerability has been resolved: ublk: fix race between ... • https://git.kernel.org/stable/c/216c8f5ef0f209a3797292c487bdaa6991ab4b92 •
CVSS: 7.2EPSS: %CPEs: 6EXPL: 0CVE-2025-37905 – firmware: arm_scmi: Balance device refcount when destroying devices
https://notcve.org/view.php?id=CVE-2025-37905
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Balance device refcount when destroying devices Using device_find_child() to lookup the proper SCMI device to destroy causes an unbalance in device refcount, since device_find_child() calls an implicit get_device(): this, in turns, inhibits the call of the provided release methods upon devices destruction. As a consequence, one of the structures that is not freed properly upon destruction is the internal struct device_pr... • https://git.kernel.org/stable/c/d4f9dddd21f39395c62ea12d3d91239637d4805f •
CVSS: 7.2EPSS: %CPEs: 5EXPL: 0CVE-2025-37903 – drm/amd/display: Fix slab-use-after-free in hdcp
https://notcve.org/view.php?id=CVE-2025-37903
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix slab-use-after-free in hdcp The HDCP code in amdgpu_dm_hdcp.c copies pointers to amdgpu_dm_connector objects without incrementing the kref reference counts. When using a USB-C dock, and the dock is unplugged, the corresponding amdgpu_dm_connector objects are freed, creating dangling pointers in the HDCP code. When the dock is plugged back, the dangling pointers are dereferenced, resulting in a slab-use-after-free: [ 66.... • https://git.kernel.org/stable/c/da3fd7ac0bcf372cc57117bdfcd725cca7ef975a •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-37901 – irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs
https://notcve.org/view.php?id=CVE-2025-37901
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: irqchip/qcom-mpm: Prevent crash when trying to handle non-wake GPIOs On Qualcomm chipsets not all GPIOs are wakeup capable. Those GPIOs do not have a corresponding MPM pin and should not be handled inside the MPM driver. The IRQ domain hierarchy is always applied, so it's required to explicitly disconnect the hierarchy for those. The pinctrl-msm driver marks these with GPIO_NO_WAKE_IRQ. qcom-pdc has a check for this, but irq-qcom-mpm is cur... • https://git.kernel.org/stable/c/a6199bb514d8a63f61c2a22c1f912376e14d0fb2 •
CVSS: 5.6EPSS: %CPEs: 3EXPL: 0CVE-2025-37900 – iommu: Fix two issues in iommu_copy_struct_from_user()
https://notcve.org/view.php?id=CVE-2025-37900
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: iommu: Fix two issues in iommu_copy_struct_from_user() In the review for iommu_copy_struct_to_user() helper, Matt pointed out that a NULL pointer should be rejected prior to dereferencing it: https://lore.kernel.org/all/86881827-8E2D-461C-BDA3-FA8FD14C343C@nvidia.com And Alok pointed out a typo at the same time: https://lore.kernel.org/all/480536af-6830-43ce-a327-adbd13dc3f1d@oracle.com Since both issues were copied from iommu_copy_struct_f... • https://git.kernel.org/stable/c/e9d36c07bb787840e4813fb09a929a17d522a69f •
CVSS: 7.8EPSS: %CPEs: 3EXPL: 0CVE-2025-37899 – ksmbd: fix use-after-free in session logoff
https://notcve.org/view.php?id=CVE-2025-37899
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user ... • https://git.kernel.org/stable/c/d5ec1d79509b3ee01de02c236f096bc050221b7f •
CVSS: 6.6EPSS: %CPEs: 5EXPL: 0CVE-2025-37897 – wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release
https://notcve.org/view.php?id=CVE-2025-37897
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: plfxlc: Remove erroneous assert in plfxlc_mac_release plfxlc_mac_release() asserts that mac->lock is held. This assertion is incorrect, because even if it was possible, it would not be the valid behaviour. The function is used when probe fails or after the device is disconnected. In both cases mac->lock can not be held as the driver is not working with the device at the moment. All functions that use mac->lock unlock it just after it ... • https://git.kernel.org/stable/c/68d57a07bfe5bb29b80cd8b8fa24c9d1ea104124 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-37892 – mtd: inftlcore: Add error check for inftl_read_oob()
https://notcve.org/view.php?id=CVE-2025-37892
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwriteunit(), the return value of inftl_read_oob() need to be checked. A proper implementation can be found in INFTL_deleteblock(). The status will be set as SECTOR_IGNORE to break from the while-loop correctly if the inftl_read_oob() fails. In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwri... • https://git.kernel.org/stable/c/8593fbc68b0df1168995de76d1af38eb62fd6b62 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37891 – ALSA: ump: Fix buffer overflow at UMP SysEx message conversion
https://notcve.org/view.php?id=CVE-2025-37891
19 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: ump: Fix buffer overflow at UMP SysEx message conversion The conversion function from MIDI 1.0 to UMP packet contains an internal buffer to keep the incoming MIDI bytes, and its size is 4, as it was supposed to be the max size for a MIDI1 UMP packet data. However, the implementation overlooked that SysEx is handled in a different format, and it can be up to 6 bytes, as found in do_convert_to_ump(). It leads eventually to a buffer over... • https://git.kernel.org/stable/c/0b5288f5fe63eab687c14e5940b9e0d532b129f2 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-37890 – net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc
https://notcve.org/view.php?id=CVE-2025-37890
16 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a UAF vulnerability in class with netem as child qdisc As described in Gerrard's report [1], we have a UAF case when an hfsc class has a netem child qdisc. The crux of the issue is that hfsc is assuming that checking for cl->qdisc->q.qlen == 0 guarantees that it hasn't inserted the class in the vttree or eltree (which is not true for the netem duplicate case). This patch checks the n_active class variable to make sure t... • https://git.kernel.org/stable/c/37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea •