CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21729 – wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion
https://notcve.org/view.php?id=CVE-2025-21729
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix race between cancel_hw_scan and hw_scan completion The rtwdev->scanning flag isn't protected by mutex originally, so cancel_hw_scan can pass the condition, but suddenly hw_scan completion unset the flag and calls ieee80211_scan_completed() that will free local->hw_scan_req. Then, cancel_hw_scan raises null-ptr-deref and use-after-free. Fix it by moving the check condition to where protected by mutex. KASAN: null-ptr-deref i... • https://git.kernel.org/stable/c/895907779752606f6a4795abfc008509f8e38314 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-21728 – bpf: Send signals asynchronously if !preemptible
https://notcve.org/view.php?id=CVE-2025-21728
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Send signals asynchronously if !preemptible BPF programs can execute in all kinds of contexts and when a program running in a non-preemptible context uses the bpf_send_signal() kfunc, it will cause issues because this kfunc can sleep. Change `irqs_disabled()` to `!preemptible()`. In the Linux kernel, the following vulnerability has been resolved: bpf: Send signals asynchronously if !preemptible BPF programs can execute in all kinds of ... • https://git.kernel.org/stable/c/1bc7896e9ef44fd77858b3ef0b8a6840be3a4494 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21727 – padata: fix UAF in padata_reorder
https://notcve.org/view.php?id=CVE-2025-21727
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: padata: fix UAF in padata_reorder A bug was found when run ltp test: BUG: KASAN: slab-use-after-free in padata_find_next+0x29/0x1a0 Read of size 4 at addr ffff88bbfe003524 by task kworker/u113:2/3039206 CPU: 0 PID: 3039206 Comm: kworker/u113:2 Kdump: loaded Not tainted 6.6.0+ Workqueue: pdecrypt_parallel padata_parallel_worker Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-21726 – padata: avoid UAF for reorder_work
https://notcve.org/view.php?id=CVE-2025-21726
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, it can not avoid potential UAF issue for reorder_work. This issue can happen just as below: crypto_request crypto_request crypto_del_alg padata_do_serial ... padata_reorder // processes all remaining // requests then breaks while (1) { if (!padata) break; ... } padata_do_serial // new request added list_add // sees the new request queue_wo... • https://git.kernel.org/stable/c/bbefa1dd6a6d53537c11624752219e39959d04fb • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21725 – smb: client: fix oops due to unset link speed
https://notcve.org/view.php?id=CVE-2025-21725
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix oops due to unset link speed It isn't guaranteed that NETWORK_INTERFACE_INFO::LinkSpeed will always be set by the server, so the client must handle any values and then prevent oopses like below from happening: Oops: divide error: 0000 [#1] PREEMPT SMP KASAN NOPTI CPU: 0 UID: 0 PID: 1323 Comm: cat Not tainted 6.13.0-rc7 #2 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-3.fc41 04/01/2014 RIP: 0010:cifs_debug_... • https://git.kernel.org/stable/c/548893404c44fc01a59f17727876e02553146fe6 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21724 – iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()
https://notcve.org/view.php?id=CVE-2025-21724
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant "1" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined behavior. The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represe... • https://git.kernel.org/stable/c/58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21723 – scsi: mpi3mr: Fix possible crash when setting up bsg fails
https://notcve.org/view.php?id=CVE-2025-21723
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix possible crash when setting up bsg fails If bsg_setup_queue() fails, the bsg_queue is assigned a non-NULL value. Consequently, in mpi3mr_bsg_exit(), the condition "if(!mrioc->bsg_queue)" will not be satisfied, preventing execution from entering bsg_remove_queue(), which could lead to the following crash: BUG: kernel NULL pointer dereference, address: 000000000000041c Call Trace:
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21722 – nilfs2: do not force clear folio if buffer is referenced
https://notcve.org/view.php?id=CVE-2025-21722
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: do not force clear folio if buffer is referenced Patch series "nilfs2: protect busy buffer heads from being force-cleared". This series fixes the buffer head state inconsistency issues reported by syzbot that occurs when the filesystem is corrupted and falls back to read-only, and the associated buffer head use-after-free issue. This patch (of 2): Syzbot has reported that after nilfs2 detects filesystem corruption and falls back to ... • https://git.kernel.org/stable/c/8c26c4e2694a163d525976e804d81cd955bbb40c • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21721 – nilfs2: handle errors that nilfs_prepare_chunk() may return
https://notcve.org/view.php?id=CVE-2025-21721
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: handle errors that nilfs_prepare_chunk() may return Patch series "nilfs2: fix issues with rename operations". This series fixes BUG_ON check failures reported by syzbot around rename operations, and a minor behavioral issue where the mtime of a child directory changes when it is renamed instead of moved. This patch (of 2): The directory manipulation routines nilfs_set_link() and nilfs_delete_entry() rewrite the directory entry in th... • https://git.kernel.org/stable/c/2ba466d74ed74f073257f86e61519cb8f8f46184 •
CVSS: 9.4EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21719 – ipmr: do not call mr_mfc_uses_dev() for unres entries
https://notcve.org/view.php?id=CVE-2025-21719
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffeff... • https://git.kernel.org/stable/c/cb167893f41e21e6bd283d78e53489289dc0592d •