CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39676 – scsi: qla4xxx: Prevent a potential error pointer dereference
https://notcve.org/view.php?id=CVE-2025-39676
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() function is supposed to return NULL on error, but qla4xxx_ep_connect() returns error pointers. Propagating the error pointers will lead to an Oops in the caller, so change the error pointers to NULL. In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Prevent a potential error pointer dereference The qla4xxx_get_ep_fwdb() fu... • https://git.kernel.org/stable/c/13483730a13bef372894aefcf73760f5c6c297be •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39675 – drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session()
https://notcve.org/view.php?id=CVE-2025-39675
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null pointer check in mod_hdcp_hdcp1_create_session() The function mod_hdcp_hdcp1_create_session() calls the function get_first_active_display(), but does not check its return value. The return value is a null pointer if the display list is empty. This will lead to a null pointer dereference. Add a null pointer check for get_first_active_display() and return MOD_HDCP_STATUS_DISPLAY_NOT_FOUND if the function return null.... • https://git.kernel.org/stable/c/2deade5ede56581722c0d7672f28b09548dc0fc4 •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39673 – ppp: fix race conditions in ppp_fill_forward_path
https://notcve.org/view.php?id=CVE-2025-39673
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ppp: fix race conditions in ppp_fill_forward_path ppp_fill_forward_path() has two race conditions: 1. The ppp->channels list can change between list_empty() and list_first_entry(), as ppp_lock() is not held. If the only channel is deleted in ppp_disconnect_channel(), list_first_entry() may access an empty head or a freed entry, and trigger a panic. 2. pch->chan can be NULL. When ppp_unregister_channel() is called, pch->chan is set to NULL b... • https://git.kernel.org/stable/c/f6efc675c9dd8d93f826b79ae7e33e03301db609 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38735 – gve: prevent ethtool ops after shutdown
https://notcve.org/view.php?id=CVE-2025-38735
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: gve: prevent ethtool ops after shutdown A crash can occur if an ethtool operation is invoked after shutdown() is called. shutdown() is invoked during system shutdown to stop DMA operations without performing expensive deallocations. It is discouraged to unregister the netdev in this path, so the device may still be visible to userspace and kernel helpers. In gve, shutdown() tears down most internal data structures. If an ethtool operation i... • https://git.kernel.org/stable/c/974365e518617c9ce917f61aacbba07e4bedcca0 •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38734 – net/smc: fix UAF on smcsk after smc_listen_out()
https://notcve.org/view.php?id=CVE-2025-38734
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix UAF on smcsk after smc_listen_out() BPF CI testing report a UAF issue: [ 16.446633] BUG: kernel NULL pointer dereference, address: 000000000000003 0 [ 16.447134] #PF: supervisor read access in kernel mod e [ 16.447516] #PF: error_code(0x0000) - not-present pag e [ 16.447878] PGD 0 P4D 0 [ 16.448063] Oops: Oops: 0000 [#1] PREEMPT SMP NOPT I [ 16.448409] CPU: 0 UID: 0 PID: 9 Comm: kworker/0:1 Tainted: G OE 6.13.0-rc3-g89e8a75fda7... • https://git.kernel.org/stable/c/3b2dec2603d5b06ad3af71c1164ca0b92df3d2a8 •
CVSS: 5.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38732 – netfilter: nf_reject: don't leak dst refcount for loopback packets
https://notcve.org/view.php?id=CVE-2025-38732
05 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_reject: don't leak dst refcount for loopback packets recent patches to add a WARN() when replacing skb dst entry found an old bug: WARNING: include/linux/skbuff.h:1165 skb_dst_check_unset include/linux/skbuff.h:1164 [inline] WARNING: include/linux/skbuff.h:1165 skb_dst_set include/linux/skbuff.h:1210 [inline] WARNING: include/linux/skbuff.h:1165 nf_reject_fill_skb_dst+0x2a4/0x330 net/ipv4/netfilter/nf_reject_ipv4.c:234 [..] Ca... • https://git.kernel.org/stable/c/f53b9b0bdc59c0823679f2e3214e0d538f5951b9 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38730 – io_uring/net: commit partial buffers on retry
https://notcve.org/view.php?id=CVE-2025-38730
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring/net: commit partial buffers on retry Ring provided buffers are potentially only valid within the single execution context in which they were acquired. io_uring deals with this and invalidates them on retry. But on the networking side, if MSG_WAITALL is set, or if the socket is of the streaming type and too little was processed, then it will hang on to the buffer rather than recycle or commit it. This is problematic for two reasons:... • https://git.kernel.org/stable/c/c56e022c0a27142b7b59ae6bdf45f86bf4b298a1 •
CVSS: 7.2EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38729 – ALSA: usb-audio: Validate UAC3 power domain descriptors, too
https://notcve.org/view.php?id=CVE-2025-38729
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB accesses by malicious firmware, too. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Validate UAC3 power domain descriptors, too UAC3 power domain descriptors need to be verified with its variable bLength for avoiding the unexpected OOB a... • https://git.kernel.org/stable/c/9a2fe9b801f585baccf8352d82839dcd54b300cf •
CVSS: 6.9EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38728 – smb3: fix for slab out of bounds on mount to ksmbd
https://notcve.org/view.php?id=CVE-2025-38728
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: smb3: fix for slab out of bounds on mount to ksmbd With KASAN enabled, it is possible to get a slab out of bounds during mount to ksmbd due to missing check in parse_server_interfaces() (see below): BUG: KASAN: slab-out-of-bounds in parse_server_interfaces+0x14ee/0x1880 [cifs] Read of size 4 at addr ffff8881433dba98 by task mount/9827 CPU: 5 UID: 0 PID: 9827 Comm: mount Tainted: G OE 6.16.0-rc2-kasan #2 PREEMPT(voluntary) Tainted: [O]=OOT_M... • https://git.kernel.org/stable/c/fe856be475f7cf5ffcde57341d175ce9fd09434b •
CVSS: 6.6EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38727 – netlink: avoid infinite retry looping in netlink_unicast()
https://notcve.org/view.php?id=CVE-2025-38727
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netlink: avoid infinite retry looping in netlink_unicast() netlink_attachskb() checks for the socket's read memory allocation constraints. Firstly, it has: rmem < READ_ONCE(sk->sk_rcvbuf) to check if the just increased rmem value fits into the socket's receive buffer. If not, it proceeds and tries to wait for the memory under: rmem + skb->truesize > READ_ONCE(sk->sk_rcvbuf) The checks don't cover the case when skb->truesize + sk->sk_rmem_al... • https://git.kernel.org/stable/c/9da025150b7c14a8390fc06aea314c0a4011e82c •