CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39743 – jfs: truncate good inode pages when hard link is 0
https://notcve.org/view.php?id=CVE-2025-39743
11 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: truncate good inode pages when hard link is 0 The fileset value of the inode copy from the disk by the reproducer is AGGR_RESERVED_I. When executing evict, its hard link number is 0, so its inode pages are not truncated. This causes the bugon to be triggered when executing clear_inode() because nrpages is greater than 0. In the Linux kernel, the following vulnerability has been resolved: jfs: truncate good inode pages when hard link is... • https://git.kernel.org/stable/c/32983696a48a6c41d99f3eca82ba7510a552d843 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-39724 – serial: 8250: fix panic due to PSLVERR
https://notcve.org/view.php?id=CVE-2025-39724
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: serial: 8250: fix panic due to PSLVERR When the PSLVERR_RESP_EN parameter is set to 1, the device generates an error response if an attempt is made to read an empty RBR (Receive Buffer Register) while the FIFO is enabled. In serial8250_do_startup(), calling serial_port_out(port, UART_LCR, UART_LCR_WLEN8) triggers dw8250_check_lcr(), which invokes dw8250_force_idle() and serial8250_clear_and_reinit_fifos(). The latter function enables the FI... • https://git.kernel.org/stable/c/c49436b657d0a56a6ad90d14a7c3041add7cf64d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39716 – parisc: Revise __get_user() to probe user read access
https://notcve.org/view.php?id=CVE-2025-39716
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: parisc: Revise __get_user() to probe user read access Because of the way read access support is implemented, read access interruptions are only triggered at privilege levels 2 and 3. The kernel executes at privilege level 0, so __get_user() never triggers a read access interruption (code 26). Thus, it is currently possible for user code to access a read protected address via a system call. Fix this by probing read access rights at privilege... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39714 – media: usbtv: Lock resolution while streaming
https://notcve.org/view.php?id=CVE-2025-39714
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: usbtv: Lock resolution while streaming When an program is streaming (ffplay) and another program (qv4l2) changes the TV standard from NTSC to PAL, the kernel crashes due to trying to copy to unmapped memory. Changing from NTSC to PAL increases the resolution in the usbtv struct, but the video plane buffer isn't adjusted, so it overflows. [hverkuil: call vb2_is_busy instead of vb2_is_streaming] In the Linux kernel, the following vulne... • https://git.kernel.org/stable/c/0e0fe3958fdd13dbf55c3a787acafde6efd04272 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39691 – fs/buffer: fix use-after-free when call bh_read() helper
https://notcve.org/view.php?id=CVE-2025-39691
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/buffer: fix use-after-free when call bh_read() helper There's issue as follows: BUG: KASAN: stack-out-of-bounds in end_buffer_read_sync+0xe3/0x110 Read of size 8 at addr ffffc9000168f7f8 by task swapper/3/0 CPU: 3 UID: 0 PID: 0 Comm: swapper/3 Not tainted 6.16.0-862.14.0.6.x86_64 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) Call Trace:
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39686 – comedi: Make insn_rw_emulate_bits() do insn->n samples
https://notcve.org/view.php?id=CVE-2025-39686
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Make insn_rw_emulate_bits() do insn->n samples The `insn_rw_emulate_bits()` function is used as a default handler for `INSN_READ` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_READ`. Similarly, it is used as a default handler for `INSN_WRITE` instructions for subdevices that have a handler for `INSN_BITS` but not for `INSN_WRITE`. It works by emulating the `INSN_READ` or `INSN_WRITE` instruction h... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39685 – comedi: pcl726: Prevent invalid irq number
https://notcve.org/view.php?id=CVE-2025-39685
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: pcl726: Prevent invalid irq number The reproducer passed in an irq number(0x80008000) that was too large, which triggered the oob. Added an interrupt number check to prevent users from passing in an irq number that was too large. If `it->options[1]` is 31, then `1 << it->options[1]` is still invalid because it shifts a 1-bit into the sign bit (which is UB in C). Possible solutions include reducing the upper bound on the `it->options... • https://git.kernel.org/stable/c/fff46207245cd9e39c05b638afaee2478e64914b •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39684 – comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl()
https://notcve.org/view.php?id=CVE-2025-39684
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized memory in do_insn_ioctl() and do_insnlist_ioctl() syzbot reports a KMSAN kernel-infoleak in `do_insn_ioctl()`. A kernel buffer is allocated to hold `insn->n` samples (each of which is an `unsigned int`). For some instruction types, `insn->n` samples are copied back to user-space, unless an error code is being returned. The problem is that not all the instruction handlers that need to return data to userspace... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39677 – net/sched: Fix backlog accounting in qdisc_dequeue_internal
https://notcve.org/view.php?id=CVE-2025-39677
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Fix backlog accounting in qdisc_dequeue_internal This issue applies for the following qdiscs: hhf, fq, fq_codel, and fq_pie, and occurs in their change handlers when adjusting to the new limit. The problem is the following in the values passed to the subsequent qdisc_tree_reduce_backlog call given a tbf parent: When the tbf parent runs out of tokens, skbs of these qdiscs will be placed in gso_skb. Their peek handlers are qdisc_pe... • https://git.kernel.org/stable/c/4b549a2ef4bef9965d97cbd992ba67930cd3e0fe •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39676 – scsi: qla4xxx: Prevent a potential error pointer dereference
https://notcve.org/view.php?id=CVE-2025-39676
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to NULL. In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() fu... • https://git.kernel.org/stable/c/13483730a13bef372894aefcf73760f5c6c297be •