CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2025-40315 – usb: gadget: f_fs: Fix epfile null pointer access after ep enable.
https://notcve.org/view.php?id=CVE-2025-40315
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() sets ffs->epfiles to NULL before resetting ffs->eps_count to 0, leading to a NULL pointer dereference when accessing epfile->ep in ffs_func_eps_enable() after successful usb_ep_enable(). The ffs->epfiles pointer is set to NULL in both ff... • https://git.kernel.org/stable/c/c9fc422c9a43e3d58d246334a71f3390401781dc •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40314 – usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget
https://notcve.org/view.php?id=CVE-2025-40314
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its endpoints. The endpoints are linked via the ep_list in the gadget structure. Freeing the gadget first leaves dangling pointers in the endpoint list. When the endpoints are subsequently freed, this results in a use-after-free. Fix: By ... • https://git.kernel.org/stable/c/8bc1901ca7b07d864fca11461b3875b31f949765 •
CVSS: 5.6EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40313 – ntfs3: pretend $Extend records as regular files
https://notcve.org/view.php?id=CVE-2025-40313
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, use S_IFREG for $Extend records. In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any ino... • https://git.kernel.org/stable/c/4534a70b7056fd4b9a1c6db5a4ce3c98546b291e •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40312 – jfs: Verify inode mode when loading from disk
https://notcve.org/view.php?id=CVE-2025-40312
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk") does. In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 ("isofs: Verify inode mode when loading from... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40311 – accel/habanalabs: support mapping cb with vmalloc-backed coherent memory
https://notcve.org/view.php?id=CVE-2025-40311
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped without VM_MIXEDMAP, vm_insert_page() will trigger a BUG_ON due to the VM_PFNMAP restriction. Fix this by checking for vmalloc addresses and setting VM_MIXEDMAP in the VMA before mapping. This ensures safe mapping and avoids kernel crashes... • https://git.kernel.org/stable/c/ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-40308 – Bluetooth: bcsp: receive data only if registered
https://notcve.org/view.php?id=CVE-2025-40308
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace:
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40307 – exfat: validate cluster allocation bits of the allocation bitmap
https://notcve.org/view.php?id=CVE-2025-40307
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can r... • https://git.kernel.org/stable/c/1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40306 – orangefs: fix xattr related buffer overflow...
https://notcve.org/view.php?id=CVE-2025-40306
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40304 – fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
https://notcve.org/view.php?id=CVE-2025-40304
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer siz... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40303 – btrfs: ensure no dirty metadata is written back for an fs with errors
https://notcve.org/view.php?id=CVE-2025-40303
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger th... • https://git.kernel.org/stable/c/13e6c37b989859e70b0d73d3f2cb0aa022159b17 •