CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37823 – net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too
https://notcve.org/view.php?id=CVE-2025-37823
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Similarly to the previous patch, we need to safe guard hfsc_dequeue() too. But for this one, we don't have a reliable reproducer. In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Fix a potential UAF in hfsc_dequeue() too Similarly to the previous patch, we need to safe guard hfsc_dequeue() too. But for this one, we don't have a reliable reproducer... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37817 – mcb: fix a double free bug in chameleon_parse_gdd()
https://notcve.org/view.php?id=CVE-2025-37817
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: mcb: fix a double free bug in chameleon_parse_gdd() In chameleon_parse_gdd(), if mcb_device_register() fails, 'mdev' would be released in mcb_device_register() via put_device(). Thus, goto 'err' label and free 'mdev' again causes a double free. Just return if mcb_device_register() fails. In the Linux kernel, the following vulnerability has been resolved: mcb: fix a double free bug in chameleon_parse_gdd() In chameleon_parse_gdd(), if mcb_de... • https://git.kernel.org/stable/c/3764e82e5150d87b205c10cd78a9c9ab86fbfa51 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37810 – usb: dwc3: gadget: check that event count does not exceed event buffer length
https://notcve.org/view.php?id=CVE-2025-37810
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: check that event count does not exceed event buffer length The event count is read from register DWC3_GEVNTCOUNT. There is a check for the count being zero, but not for exceeding the event buffer length. Check that event count does not exceed event buffer length, avoiding an out-of-bounds access when memcpy'ing the event. Crash log: Unable to handle kernel paging request at virtual address ffffffc0129be000 pc : __memcpy+0... • https://git.kernel.org/stable/c/72246da40f3719af3bfd104a2365b32537c27d83 • CWE-787: Out-of-bounds Write •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-37808 – crypto: null - Use spin lock instead of mutex
https://notcve.org/view.php?id=CVE-2025-37808
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: null - Use spin lock instead of mutex As the null algorithm may be freed in softirq context through af_alg, use spin locks instead of mutexes to protect the default null algorithm. In the Linux kernel, the following vulnerability has been resolved: crypto: null - Use spin lock instead of mutex As the null algorithm may be freed in softirq context through af_alg, use spin locks instead of mutexes to protect the default null algorithm... • https://git.kernel.org/stable/c/330234638e16b7b95e8e5e6be719a61a93f074b8 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37800 – driver core: fix potential NULL pointer dereference in dev_uevent()
https://notcve.org/view.php?id=CVE-2025-37800
08 May 2025 — In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential NULL pointer dereference in dev_uevent() If userspace reads "uevent" device attribute at the same time as another threads unbinds the device from its driver, change to dev->driver from a valid pointer to NULL may result in crash. Fix this by using READ_ONCE() when fetching the pointer, and take bus' drivers klist lock to make sure driver instance will not disappear while we access it. Use WRITE_ONCE() when setting... • https://git.kernel.org/stable/c/16574dccd8f62dc1b585325f8a6a0aab10047ed8 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-21546 – scsi: target: Fix WRITE_SAME No Data Buffer crash
https://notcve.org/view.php?id=CVE-2022-21546
02 May 2025 — In newer version of the SBC specs, we have a NDOB bit that indicates there is no data buffer that gets written out. If this bit is set using commands like "sg_write_same --ndob" we will crash in target_core_iblock/file's execute_write_same handlers when we go to access the se_cmd->t_data_sg because its NULL. CVSS 3.1 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix WRITE_S... • https://git.kernel.org/stable/c/f6970ad31d42fceb38b5595cbad093a4d0bfcc43 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2023-53140 – scsi: core: Remove the /proc/scsi/${proc_name} directory earlier
https://notcve.org/view.php?id=CVE-2023-53140
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: core: Remove the /proc/scsi/${proc_name} directory earlier Remove the /proc/scsi/${proc_name} directory earlier to fix a race condition between unloading and reloading kernel modules. This fixes a bug introduced in 2009 by commit 77c019768f06 ("[SCSI] fix /proc memory leak in the SCSI core"). Fix the following kernel warning: proc_dir_entry 'scsi/scsi_debug' already registered WARNING: CPU: 19 PID: 27986 at fs/proc/generic.c:376 proc_... • https://git.kernel.org/stable/c/77c019768f0607c36e25bec11ce3e1eabef09277 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53139 – nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties
https://notcve.org/view.php?id=CVE-2023-53139
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties devm_kmalloc_array may fails, *fw_vsc_cfg might be null and cause out-of-bounds write in device_property_read_u8_array later. In the Linux kernel, the following vulnerability has been resolved: nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties devm_kmalloc_array may fails, *fw_vsc_cfg might be null and cause out-of-bounds ... • https://git.kernel.org/stable/c/a06347c04c13e380afce0c9816df51f00b83faf1 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53138 – net: caif: Fix use-after-free in cfusbl_device_notify()
https://notcve.org/view.php?id=CVE-2023-53138
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: caif: Fix use-after-free in cfusbl_device_notify() syzbot reported use-after-free in cfusbl_device_notify() [1]. This causes a stack trace like below: BUG: KASAN: use-after-free in cfusbl_device_notify+0x7c9/0x870 net/caif/caif_usb.c:138 Read of size 8 at addr ffff88807ac4e6f0 by task kworker/u4:6/1214 CPU: 0 PID: 1214 Comm: kworker/u4:6 Not tainted 5.19.0-rc3-syzkaller-00146-g92f20ff72066 #0 Hardware name: Google Google Compute Engine... • https://git.kernel.org/stable/c/7ad65bf68d705b445ef10b77ab50dab22be185ee •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53125 – net: usb: smsc75xx: Limit packet length to skb->len
https://notcve.org/view.php?id=CVE-2023-53125
02 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: smsc75xx: Limit packet length to skb->len Packet length retrieved from skb data may be larger than the actual socket buffer length (up to 9026 bytes). In such case the cloned skb passed up the network stack will leak kernel memory contents. In the Linux kernel, the following vulnerability has been resolved: net: usb: smsc75xx: Limit packet length to skb->len Packet length retrieved from skb data may be larger than the actual socke... • https://git.kernel.org/stable/c/d0cad871703b898a442e4049c532ec39168e5b57 • CWE-125: Out-of-bounds Read •