CVSS: 6.9EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39994 – media: tuner: xc5000: Fix use-after-free in xc5000_release
https://notcve.org/view.php?id=CVE-2025-39994
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release() may free the xc5000_priv while timer_sleep is still active and attempts to dereference the xc5000_priv. A typical race condition is illustrated be... • https://git.kernel.org/stable/c/f7a27ff1fb77e114d1059a5eb2ed1cffdc508ce8 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39993 – media: rc: fix races with imon_disconnect()
https://notcve.org/view.php?id=CVE-2025-39993
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1... • https://git.kernel.org/stable/c/21677cfc562a27e099719d413287bc8d1d24deb7 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39990 – bpf: Check the helper function is valid in get_helper_proto
https://notcve.org/view.php?id=CVE-2025-39990
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Check the helper function is valid in get_helper_proto kernel test robot reported verifier bug [1] where the helper func pointer could be NULL due to disabled config option. As Alexei suggested we could check on that in get_helper_proto directly. Marking tail_call helper func with BPF_PTR_POISON, because it is unused by design. [1] https://lore.kernel.org/oe-lkp/202507160818.68358831-lkp@intel.com In the Linux kernel, the following vul... • https://git.kernel.org/stable/c/3d429cb1278e995e22995ef117fa96d223a67e93 •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39987 – can: hi311x: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39987
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: hi311x: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the sun4i_can driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to config... • https://git.kernel.org/stable/c/57e83fb9b7468c75cb65cde1d23043553c346c6d •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39986 – can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39986
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: sun4i_can: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the sun4i_can driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to con... • https://git.kernel.org/stable/c/0738eff14d817a02ab082c392c96a1613006f158 •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39985 – can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow
https://notcve.org/view.php?id=CVE-2025-39985
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: populate ndo_change_mtu() to prevent buffer overflow Sending an PF_PACKET allows to bypass the CAN framework logic and to directly reach the xmit() function of a CAN driver. The only check which is performed by the PF_PACKET framework is to make sure that skb->len fits the interface's MTU. Unfortunately, because the mcba_usb driver does not populate its net_device_ops->ndo_change_mtu(), it is possible for an attacker to confi... • https://git.kernel.org/stable/c/51f3baad7de943780ce0c17bd7975df567dd6e14 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39973 – i40e: add validation for ring_len param
https://notcve.org/view.php?id=CVE-2025-39973
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: add validation for ring_len param The `ring_len` parameter provided by the virtual function (VF) is assigned directly to the hardware memory context (HMC) without any validation. To address this, introduce an upper boundary check for both Tx and Rx queue lengths. The maximum number of descriptors supported by the hardware is 8k-32. Additionally, enforce alignment constraints: Tx rings must be a multiple of 8, and Rx rings must be a mu... • https://git.kernel.org/stable/c/5c3c48ac6bf56367c4e89f6453cd2d61e50375bd •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39972 – i40e: fix idx validation in i40e_validate_queue_map
https://notcve.org/view.php?id=CVE-2025-39972
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in i40e_validate_queue_map Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_validate_queue_map(). In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in i40e_validate_queue_map Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_validate_queue_map(). • https://git.kernel.org/stable/c/c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39971 – i40e: fix idx validation in config queues msg
https://notcve.org/view.php?id=CVE-2025-39971
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in config queues msg Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_vc_config_queues_msg(). In the Linux kernel, the following vulnerability has been resolved: i40e: fix idx validation in config queues msg Ensure idx is within range of active/initialized TCs when iterating over vf->ch[idx] in i40e_vc_config_queues_msg(). • https://git.kernel.org/stable/c/c27eac48160de72dee33d42b5a33cc7b8a2eb1f5 •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39970 – i40e: fix input validation logic for action_meta
https://notcve.org/view.php?id=CVE-2025-39970
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: fix input validation logic for action_meta Fix condition to check 'greater or equal' to prevent OOB dereference. • https://git.kernel.org/stable/c/e284fc280473bed23f2e1ed324e102a48f7d17e1 •