CVSS: 5.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21750 – wifi: brcmfmac: Check the return value of of_property_read_string_index()
https://notcve.org/view.php?id=CVE-2025-21750
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Check the return value of of_property_read_string_index() Somewhen between 6.10 and 6.11 the driver started to crash on my MacBookPro14,3. The property doesn't exist and 'tmp' remains uninitialized, so we pass a random pointer to devm_kstrdup(). The crash I am getting looks like this: BUG: unable to handle page fault for address: 00007f033c669379 PF: supervisor read access in kernel mode PF: error_code(0x0001) - permissions ... • https://git.kernel.org/stable/c/af525a8b2ab85291617e79a5bb18bcdcb529e80c •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21749 – net: rose: lock the socket in rose_bind()
https://notcve.org/view.php?id=CVE-2025-21749
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: rose: lock the socket in rose_bind() syzbot reported a soft lockup in rose_loopback_timer(), with a repro calling bind() from multiple threads. rose_bind() must lock the socket to avoid this issue. In the Linux kernel, the following vulnerability has been resolved: net: rose: lock the socket in rose_bind() syzbot reported a soft lockup in rose_loopback_timer(), with a repro calling bind() from multiple threads. rose_bind() must lock th... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21748 – ksmbd: fix integer overflows on 32 bit systems
https://notcve.org/view.php?id=CVE-2025-21748
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix integer overflows on 32 bit systems On 32bit systems the addition operations in ipc_msg_alloc() can potentially overflow leading to memory corruption. Add bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow. In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix integer overflows on 32 bit systems On 32bit systems the addition operations in ipc_msg_alloc() can potentially overflow leading to memo... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21746 – Input: synaptics - fix crash when enabling pass-through port
https://notcve.org/view.php?id=CVE-2025-21746
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Input: synaptics - fix crash when enabling pass-through port When enabling a pass-through port an interrupt might come before psmouse driver binds to the pass-through port. However synaptics sub-driver tries to access psmouse instance presumably associated with the pass-through port to figure out if only 1 byte of response or entire protocol packet needs to be forwarded to the pass-through port and may crash if psmouse instance has not been... • https://git.kernel.org/stable/c/100e16959c3ca8cb7be788ed3e2c5867481f35f6 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21745 – blk-cgroup: Fix class @block_class's subsystem refcount leakage
https://notcve.org/view.php?id=CVE-2025-21745
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix class @block_class's subsystem refcount leakage blkcg_fill_root_iostats() iterates over @block_class's devices by class_dev_iter_(init|next)(), but does not end iterating with class_dev_iter_exit(), so causes the class's subsystem refcount leakage. Fix by ending the iterating with class_dev_iter_exit(). In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: Fix class @block_class's subsystem refcount... • https://git.kernel.org/stable/c/ef45fe470e1e5410db4af87abc5d5055427945ac •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21744 – wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize()
https://notcve.org/view.php?id=CVE-2025-21744
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix NULL pointer dereference in brcmf_txfinalize() On removal of the device or unloading of the kernel module a potential NULL pointer dereference occurs. The following sequence deletes the interface: brcmf_detach() brcmf_remove_interface() brcmf_del_if() Inside the brcmf_del_if() function the drvr->if2bss[ifidx] is updated to BRCMF_BSSIDX_INVALID (-1) if the bsscfgidx matches. After brcmf_remove_interface() call the brcmf_p... • https://git.kernel.org/stable/c/4e51d6d093e763348916e69d06d87e0a5593661b •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21743 – usbnet: ipheth: fix possible overflow in DPE length check
https://notcve.org/view.php?id=CVE-2025-21743
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix possible overflow in DPE length check Originally, it was possible for the DPE length check to overflow if wDatagramIndex + wDatagramLength > U16_MAX. This could lead to an OoB read. Move the wDatagramIndex term to the other side of the inequality. An existing condition ensures that wDatagramIndex < urb->actual_length. In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix possible overflo... • https://git.kernel.org/stable/c/a2d274c62e44b1995c170595db3865c6fe701226 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21742 – usbnet: ipheth: use static NDP16 location in URB
https://notcve.org/view.php?id=CVE-2025-21742
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: use static NDP16 location in URB Original code allowed for the start of NDP16 to be anywhere within the URB based on the `wNdpIndex` value in NTH16. Only the start position of NDP16 was checked, so it was possible for even the fixed-length part of NDP16 to extend past the end of URB, leading to an out-of-bounds read. On iOS devices, the NDP16 header always directly follows NTH16. Rely on and check for this specific format. T... • https://git.kernel.org/stable/c/a2d274c62e44b1995c170595db3865c6fe701226 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21741 – usbnet: ipheth: fix DPE OoB read
https://notcve.org/view.php?id=CVE-2025-21741
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix DPE OoB read Fix an out-of-bounds DPE read, limit the number of processed DPEs to the amount that fits into the fixed-size NDP16 header. In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: fix DPE OoB read Fix an out-of-bounds DPE read, limit the number of processed DPEs to the amount that fits into the fixed-size NDP16 header. • https://git.kernel.org/stable/c/a2d274c62e44b1995c170595db3865c6fe701226 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21739 – scsi: ufs: core: Fix use-after free in init error and remove paths
https://notcve.org/view.php?id=CVE-2025-21739
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix use-after free in init error and remove paths devm_blk_crypto_profile_init() registers a cleanup handler to run when the associated (platform-) device is being released. For UFS, the crypto private data and pointers are stored as part of the ufs_hba's data structure 'struct ufs_hba::crypto_profile'. This structure is allocated as part of the underlying ufshcd and therefore Scsi_host allocation. During driver release or ... • https://git.kernel.org/stable/c/d76d9d7d1009968dd3a0fc30e5f5ee9fbffc1350 • CWE-416: Use After Free •