CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21727 – padata: fix UAF in padata_reorder
https://notcve.org/view.php?id=CVE-2025-21727
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-21726 – padata: avoid UAF for reorder_work
https://notcve.org/view.php?id=CVE-2025-21726
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } padata_do_serial // new request added list_add // sees the new request queue_wo... • https://git.kernel.org/stable/c/bbefa1dd6a6d53537c11624752219e39959d04fb • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21722 – nilfs2: do not force clear folio if buffer is referenced
https://notcve.org/view.php?id=CVE-2025-21722
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: do not force clear folio if buffer is referenced Patch series "nilfs2: protect busy buffer heads from being force-cleared". This series fixes the buffer head state inconsistency issues reported by syzbot that occurs when the filesystem is corrupted and falls back to read-only, and the associated buffer head use-after-free issue. This patch (of 2): Syzbot has reported that after nilfs2 detects filesystem corruption and falls back to ... • https://git.kernel.org/stable/c/8c26c4e2694a163d525976e804d81cd955bbb40c • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21721 – nilfs2: handle errors that nilfs_prepare_chunk() may return
https://notcve.org/view.php?id=CVE-2025-21721
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: handle errors that nilfs_prepare_chunk() may return Patch series "nilfs2: fix issues with rename operations". This series fixes BUG_ON check failures reported by syzbot around rename operations, and a minor behavioral issue where the mtime of a child directory changes when it is renamed instead of moved. This patch (of 2): The directory manipulation routines nilfs_set_link() and nilfs_delete_entry() rewrite the directory entry in th... • https://git.kernel.org/stable/c/2ba466d74ed74f073257f86e61519cb8f8f46184 •
CVSS: 9.4EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21719 – ipmr: do not call mr_mfc_uses_dev() for unres entries
https://notcve.org/view.php?id=CVE-2025-21719
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffeff... • https://git.kernel.org/stable/c/cb167893f41e21e6bd283d78e53489289dc0592d •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21718 – net: rose: fix timer races against user threads
https://notcve.org/view.php?id=CVE-2025-21718
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: rose: fix timer races against user threads Rose timers only acquire the socket spinlock, without checking if the socket is owned by one user thread. Add a check and rearm the timers if needed. BUG: KASAN: slab-use-after-free in rose_timer_expiry+0x31d/0x360 net/rose/rose_timer.c:174 Read of size 2 at addr ffff88802f09b82a by task swapper/0/0 CPU: 0 UID: 0 PID: 0 Comm: swapper/0 Not tainted 6.13.0-rc5-syzkaller-00172-gd1bf27c4e176 #0 Ha... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2025-21715 – net: davicom: fix UAF in dm9000_drv_remove
https://notcve.org/view.php?id=CVE-2025-21715
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: davicom: fix UAF in dm9000_drv_remove dm is netdev private data and it cannot be used after free_netdev() call. Using dm after free_netdev() can cause UAF bug. Fix it by moving free_netdev() at the end of the function. This is similar to the issue fixed in commit ad297cd2db89 ("net: qcom/emac: fix UAF in emac_remove"). This bug is detected by our static analysis tool. • https://git.kernel.org/stable/c/cf9e60aa69ae6c40d3e3e4c94dd6c8de31674e9b • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21712 – md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime
https://notcve.org/view.php?id=CVE-2025-21712
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: md/md-bitmap: Synchronize bitmap_get_stats() with bitmap lifetime After commit ec6bb299c7c3 ("md/md-bitmap: add 'sync_size' into struct md_bitmap_stats"), following panic is reported: Oops: general protection fault, probably for non-canonical address RIP: 0010:bitmap_get_stats+0x2b/0xa0 Call Trace:
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21711 – net/rose: prevent integer overflows in rose_setsockopt()
https://notcve.org/view.php?id=CVE-2025-21711
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net/rose: prevent integer overflows in rose_setsockopt() In case of possible unpredictably large arguments passed to rose_setsockopt() and multiplied by extra values on top of that, integer overflows may occur. Do the safest minimum and fix these issues by checking the contents of 'opt' and returning -EINVAL if they are too large. Also, switch to unsigned int and remove useless check for negative 'opt' in ROSE_IDLE case. In the Linux kernel... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21708 – net: usb: rtl8150: enable basic endpoint checking
https://notcve.org/view.php?id=CVE-2025-21708
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: enable basic endpoint checking Syzkaller reports [1] encountering a common issue of utilizing a wrong usb endpoint type during URB submitting stage. This, in turn, triggers a warning shown below. For now, enable simple endpoint checking (specifically, bulk and interrupt eps, testing control one is not essential) to mitigate the issue with a view to do other related cosmetic changes later, if they are necessary. [1] Syzkal... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •