CVSS: 6.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38572 – ipv6: reject malicious packets in ipv6_gso_segment()
https://notcve.org/view.php?id=CVE-2025-38572
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: reject malicious packets in ipv6_gso_segment() syzbot was able to craft a packet with very long IPv6 extension headers leading to an overflow of skb->transport_header. This 16bit field has a limited range. Add skb_reset_transport_header_careful() helper and use it from ipv6_gso_segment() WARNING: CPU: 0 PID: 5871 at ./include/linux/skbuff.h:3032 skb_reset_transport_header include/linux/skbuff.h:3032 [inline] WARNING: CPU: 0 PID: 5871 ... • https://git.kernel.org/stable/c/d1da932ed4ecad2a14cbcc01ed589d617d0f0f09 •
CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38571 – sunrpc: fix client side handling of tls alerts
https://notcve.org/view.php?id=CVE-2025-38571
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix client side handling of tls alerts A security exploit was discovered in NFS over TLS in tls_alert_recv due to its assumption that there is valid data in the msghdr's iterator's kvec. Instead, this patch proposes the rework how control messages are setup and used by sock_recvmsg(). If no control message structure is setup, kTLS layer will read and process TLS data record types. As soon as it encounters a TLS control message, it w... • https://git.kernel.org/stable/c/dea034b963c8901bdcc3d3880c04f0d75c95112f •
CVSS: 5.6EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38570 – eth: fbnic: unlink NAPIs from queues on error to open
https://notcve.org/view.php?id=CVE-2025-38570
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: unlink NAPIs from queues on error to open CI hit a UaF in fbnic in the AF_XDP portion of the queues.py test. The UaF is in the __sk_mark_napi_id_once() call in xsk_bind(), NAPI has been freed. Looks like the device failed to open earlier, and we lack clearing the NAPI pointer from the queue. In the Linux kernel, the following vulnerability has been resolved: eth: fbnic: unlink NAPIs from queues on error to open CI hit a UaF in f... • https://git.kernel.org/stable/c/557d02238e05eb66b9aba9a1f90f3a2131c6c887 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-38569 – benet: fix BUG when creating VFs
https://notcve.org/view.php?id=CVE-2025-38569
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: benet: fix BUG when creating VFs benet crashes as soon as SRIOV VFs are created: kernel BUG at mm/vmalloc.c:3457! Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI CPU: 4 UID: 0 PID: 7408 Comm: test.sh Kdump: loaded Not tainted 6.16.0+ #1 PREEMPT(voluntary) [...] RIP: 0010:vunmap+0x5f/0x70 [...] Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38568 – net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing
https://notcve.org/view.php?id=CVE-2025-38568
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing TCA_MQPRIO_TC_ENTRY_INDEX is validated using NLA_POLICY_MAX(NLA_U32, TC_QOPT_MAX_QUEUE), which allows the value TC_QOPT_MAX_QUEUE (16). This leads to a 4-byte out-of-bounds stack write in the fp[] array, which only has room for 16 elements (0–15). Fix this by changing the policy to allow only up to TC_QOPT_MAX_QUEUE - 1. In the Linux kernel, the following vulnerability has... • https://git.kernel.org/stable/c/f62af20bed2d9e824f51cfc97ff01bc261f40e58 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38566 – sunrpc: fix handling of server side tls alerts
https://notcve.org/view.php?id=CVE-2025-38566
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: sunrpc: fix handling of server side tls alerts Scott Mayhew discovered a security exploit in NFS over TLS in tls_alert_recv() due to its assumption it can read data from the msg iterator's kvec.. kTLS implementation splits TLS non-data record payload between the control message buffer (which includes the type such as TLS aler or TLS cipher change) and the rest of the payload (say TLS alert's level/description) which goes into the msg payloa... • https://git.kernel.org/stable/c/5e052dda121e2870dd87181783da4a95d7d2927b •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38565 – perf/core: Exit early on perf_mmap() fail
https://notcve.org/view.php?id=CVE-2025-38565
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: perf/core: Exit early on perf_mmap() fail When perf_mmap() fails to allocate a buffer, it still invokes the event_mapped() callback of the related event. On X86 this might increase the perf_rdpmc_allowed reference counter. But nothing undoes this as perf_mmap_close() is never called in this case, which causes another reference count leak. Return early on failure to prevent that. In the Linux kernel, the following vulnerability has been reso... • https://git.kernel.org/stable/c/1e0fb9ec679c9273a641f1d6f3d25ea47baef2bb •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38564 – perf/core: Handle buffer mapping fail correctly in perf_mmap()
https://notcve.org/view.php?id=CVE-2025-38564
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: perf/core: Handle buffer mapping fail correctly in perf_mmap() After successful allocation of a buffer or a successful attachment to an existing buffer perf_mmap() tries to map the buffer read only into the page table. If that fails, the already set up page table entries are zapped, but the other perf specific side effects of that failure are not handled. The calling code just cleans up the VMA and does not invoke perf_mmap_close(). This le... • https://git.kernel.org/stable/c/b709eb872e19a19607bbb6d2975bc264d59735cf •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38563 – perf/core: Prevent VMA split of buffer mappings
https://notcve.org/view.php?id=CVE-2025-38563
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: perf/core: Prevent VMA split of buffer mappings The perf mmap code is careful about mmap()'ing the user page with the ringbuffer and additionally the auxiliary buffer, when the event supports it. Once the first mapping is established, subsequent mapping have to use the same offset and the same size in both cases. The reference counting for the ringbuffer and the auxiliary buffer depends on this being correct. Though perf does not prevent th... • https://git.kernel.org/stable/c/45bfb2e50471abbbfd83d40d28c986078b0d24ff •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38562 – ksmbd: fix null pointer dereference error in generate_encryptionkey
https://notcve.org/view.php?id=CVE-2025-38562
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference error in generate_encryptionkey If client send two session setups with krb5 authenticate to ksmbd, null pointer dereference error in generate_encryptionkey could happen. sess->Preauth_HashValue is set to NULL if session is valid. So this patch skip generate encryption key if session is valid. • https://git.kernel.org/stable/c/96a82e19434a2522525baab59c33332658bc7653 •