CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-22066 – ASoC: imx-card: Add NULL check in imx_card_probe()
https://notcve.org/view.php?id=CVE-2025-22066
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: imx-card: Add NULL check in imx_card_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, imx_card_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue. In the Linux kernel, the following vulnerability has been resolved: ASoC: imx-card: Add NULL check in imx_card_probe() devm_kasprintf() returns NULL when memory allocati... • https://git.kernel.org/stable/c/aa736700f42fa0813e286ca2f9274ffaa25163b9 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22065 – idpf: fix adapter NULL pointer dereference on reboot
https://notcve.org/view.php?id=CVE-2025-22065
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: idpf: fix adapter NULL pointer dereference on reboot With SRIOV enabled, idpf ends up calling into idpf_remove() twice. First via idpf_shutdown() and then again when idpf_remove() calls into sriov_disable(), because the VF devices use the idpf driver, hence the same remove routine. When that happens, it is possible for the adapter to be NULL from the first call to idpf_remove(), leading to a NULL pointer dereference. echo 1 > /sys/class/net... • https://git.kernel.org/stable/c/e850efed5e152e6bdd367d5b82019f21298c0653 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-22064 – netfilter: nf_tables: don't unregister hook when table is dormant
https://notcve.org/view.php?id=CVE-2025-22064
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't unregister hook when table is dormant When nf_tables_updchain encounters an error, hook registration needs to be rolled back. This should only be done if the hook has been registered, which won't happen when the table is flagged as dormant (inactive). Just move the assignment into the registration block. In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: don't unregister hoo... • https://git.kernel.org/stable/c/b9703ed44ffbfba85c103b9de01886a225e14b38 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-22063 – netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets
https://notcve.org/view.php?id=CVE-2025-22063
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: netlabel: Fix NULL pointer exception caused by CALIPSO on IPv4 sockets When calling netlbl_conn_setattr(), addr->sa_family is used to determine the function behavior. If sk is an IPv4 socket, but the connect function is called with an IPv6 address, the function calipso_sock_setattr() is triggered. Inside this function, the following code is executed: sk_fullsock(__sk) ? inet_sk(__sk)->pinet6 : NULL; Since sk is an IPv4 socket, pinet6 is NUL... • https://git.kernel.org/stable/c/ceba1832b1b2da0149c51de62a847c00bca1677a •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22062 – sctp: add mutual exclusion in proc_sctp_do_udp_port()
https://notcve.org/view.php?id=CVE-2025-22062
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: add mutual exclusion in proc_sctp_do_udp_port() We must serialize calls to sctp_udp_sock_stop() and sctp_udp_sock_start() or risk a crash as syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc000000000d: 0000 [#1] SMP KASAN PTI KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f] CPU: 1 UID: 0 PID: 6551 Comm: syz.1.44 Not tainted 6.14.0-syzkaller-g7f2ff7b62617 #0 PREEMPT(full)... • https://git.kernel.org/stable/c/046c052b475e7119b6a30e3483e2888fc606a2f8 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-22060 – net: mvpp2: Prevent parser TCAM memory corruption
https://notcve.org/view.php?id=CVE-2025-22060
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: Prevent parser TCAM memory corruption Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAM information, from concurrent modifications. Both the TCAM and SRAM tables are indirectly accessed by configuring an index register that selects the row to read or write to. This means that operations must be atomic in order to, e.g., avoid spreading writes across multiple rows. Since the shadow SRAM array is used to find free ... • https://git.kernel.org/stable/c/3f518509dedc99f0b755d2ce68d24f610e3a005a •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22059 – udp: Fix multiple wraparounds of sk->sk_rmem_alloc.
https://notcve.org/view.php?id=CVE-2025-22059
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: udp: Fix multiple wraparounds of sk->sk_rmem_alloc. __udp_enqueue_schedule_skb() has the following condition: if (atomic_read(&sk->sk_rmem_alloc) > sk->sk_rcvbuf) goto drop; sk->sk_rcvbuf is initialised by net.core.rmem_default and later can be configured by SO_RCVBUF, which is limited by net.core.rmem_max, or SO_RCVBUFFORCE. If we set INT_MAX to sk->sk_rcvbuf, the condition is always false as sk->sk_rmem_alloc is also signed int. Then, the... • https://git.kernel.org/stable/c/6a1f12dd85a8b24f871dfcf467378660af9c064d •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-22058 – udp: Fix memory accounting leak.
https://notcve.org/view.php?id=CVE-2025-22058
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: udp: Fix memory accounting leak. Matt Dowling reported a weird UDP memory usage issue. Under normal operation, the UDP memory usage reported in /proc/net/sockstat remains close to zero. However, it occasionally spiked to 524,288 pages and never dropped. Moreover, the value doubled when the application was terminated. • https://git.kernel.org/stable/c/f970bd9e3a06f06df8d8ecf1f8ad2c8615cc17eb •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22057 – net: decrease cached dst counters in dst_release
https://notcve.org/view.php?id=CVE-2025-22057
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: decrease cached dst counters in dst_release Upstream fix ac888d58869b ("net: do not delay dst_entries_add() in dst_release()") moved decrementing the dst count from dst_destroy to dst_release to avoid accessing already freed data in case of netns dismantle. However in case CONFIG_DST_CACHE is enabled and OvS+tunnels are used, this fix is incomplete as the same issue will be seen for cached dsts: Unable to handle kernel paging request a... • https://git.kernel.org/stable/c/d71785ffc7e7cae3fbdc4ea8a9d05b7a1c59f7b8 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-22056 – netfilter: nft_tunnel: fix geneve_opt type confusion addition
https://notcve.org/view.php?id=CVE-2025-22056
16 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix geneve_opt type confusion addition When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the parsing logic should place every geneve_opt structure one by one compactly. Hence, when deciding the next geneve_opt position, the pointer addition should be in units of char *. However, the current implementation erroneously does type conversion before the addition, which will lead to heap out-of-bounds write. [ ... • https://git.kernel.org/stable/c/925d844696d9287f841d6b3e0ed62a35fb175970 •