CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38718 – sctp: linearize cloned gso packets in sctp_rcv
https://notcve.org/view.php?id=CVE-2025-38718
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: linearize cloned gso packets in sctp_rcv A cloned head skb still shares these frag skbs in fraglist with the original head skb. It's not safe to access these frag skbs. syzbot reported two use-of-uninitialized-memory bugs caused by this: BUG: KMSAN: uninit-value in sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_inq_pop+0x15b7/0x1920 net/sctp/inqueue.c:211 sctp_assoc_bh_rcv+0x1a7/0xc50 net/sctp/associola.c:998 sctp_inq_push+0x2... • https://git.kernel.org/stable/c/90017accff61ae89283ad9a51f9ac46ca01633fb • CWE-664: Improper Control of a Resource Through its Lifetime •
CVSS: 6.9EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38717 – net: kcm: Fix race condition in kcm_unattach()
https://notcve.org/view.php?id=CVE-2025-38717
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: kcm: Fix race condition in kcm_unattach() syzbot found a race condition when kcm_unattach(psock) and kcm_release(kcm) are executed at the same time. kcm_unattach() is missing a check of the flag kcm->tx_stopped before calling queue_work(). If the kcm has a reserved psock, kcm_unattach() might get executed between cancel_work_sync() and unreserve_psock() in kcm_release(), requeuing kcm->tx_work right before kcm gets freed in kcm_done().... • https://git.kernel.org/stable/c/ab7ac4eb9832e32a09f4e8042705484d2fb0aad3 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-38716 – hfs: fix general protection fault in hfs_find_init()
https://notcve.org/view.php?id=CVE-2025-38716
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: hfs: fix general protection fault in hfs_find_init() The hfs_find_init() method can trigger the crash if tree pointer is NULL: [ 45.746290][ T9787] Oops: general protection fault, probably for non-canonical address 0xdffffc0000000008: 0000 [#1] SMP KAI [ 45.747287][ T9787] KASAN: null-ptr-deref in range [0x0000000000000040-0x0000000000000047] [ 45.748716][ T9787] CPU: 2 UID: 0 PID: 9787 Comm: repro Not tainted 6.16.0-rc3 #10 PREEMPT(full) [... • https://git.kernel.org/stable/c/434a964daa14b9db083ce20404a4a2add54d037a •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38715 – hfs: fix slab-out-of-bounds in hfs_bnode_read()
https://notcve.org/view.php?id=CVE-2025-38715
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: hfs: fix slab-out-of-bounds in hfs_bnode_read() This patch introduces is_bnode_offset_valid() method that checks the requested offset value. Also, it introduces check_and_correct_requested_length() method that checks and correct the requested length (if it is necessary). These methods are used in hfs_bnode_read(), hfs_bnode_write(), hfs_bnode_clear(), hfs_bnode_copy(), and hfs_bnode_move() with the goal to prevent the access out of allocate... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38714 – hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read()
https://notcve.org/view.php?id=CVE-2025-38714
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds in hfsplus_bnode_read() The hfsplus_bnode_read() method can trigger the issue: [ 174.852007][ T9784] ================================================================== [ 174.852709][ T9784] BUG: KASAN: slab-out-of-bounds in hfsplus_bnode_read+0x2f4/0x360 [ 174.853412][ T9784] Read of size 8 at addr ffff88810b5fc6c0 by task repro/9784 [ 174.854059][ T9784] [ 174.854272][ T9784] CPU: 1 UID: 0 PID: 9784 Comm: re... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38713 – hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()
https://notcve.org/view.php?id=CVE-2025-38713
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc() The hfsplus_readdir() method is capable to crash by calling hfsplus_uni2asc(): [ 667.121659][ T9805] ================================================================== [ 667.122651][ T9805] BUG: KASAN: slab-out-of-bounds in hfsplus_uni2asc+0x902/0xa10 [ 667.123627][ T9805] Read of size 2 at addr ffff88802592f40c by task repro/9805 [ 667.124578][ T9805] [ 667.124876][ T9805] CPU: 3 UI... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38712 – hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file()
https://notcve.org/view.php?id=CVE-2025-38712
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: hfsplus: don't use BUG_ON() in hfsplus_create_attributes_file() When the volume header contains erroneous values that do not reflect the actual state of the filesystem, hfsplus_fill_super() assumes that the attributes file is not yet created, which later results in hitting BUG_ON() when hfsplus_create_attributes_file() is called. Replace this BUG_ON() with -EIO error with a message to suggest running fsck tool. In the Linux kernel, the foll... • https://git.kernel.org/stable/c/95e0d7dbb9b28ab0dfad7c7316066b05e1f1d4cd •
CVSS: 7.2EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38710 – gfs2: Validate i_depth for exhash directories
https://notcve.org/view.php?id=CVE-2025-38710
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: gfs2: Validate i_depth for exhash directories A fuzzer test introduced corruption that ends up with a depth of 0 in dir_e_read(), causing an undefined shift by 32 at: index = hash >> (32 - dip->i_depth); As calculated in an open-coded way in dir_make_exhash(), the minimum depth for an exhash directory is ilog2(sdp->sd_hash_ptrs) and 0 is invalid as sdp->sd_hash_ptrs is fixed as sdp->bsize / 16 at mount time. So we can avoid the undefined be... • https://git.kernel.org/stable/c/9a0045088d888c9c539c8c626a366cb52c0fbdab •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38708 – drbd: add missing kref_get in handle_write_conflicts
https://notcve.org/view.php?id=CVE-2025-38708
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drbd: add missing kref_get in handle_write_conflicts With `two-primaries` enabled, DRBD tries to detect "concurrent" writes and handle write conflicts, so that even if you write to the same sector simultaneously on both nodes, they end up with the identical data once the writes are completed. In handling "superseeded" writes, we forgot a kref_get, resulting in a premature drbd_destroy_device and use after free, and further to kernel crashes... • https://git.kernel.org/stable/c/668700b40a7c8727bbd2b3fd4fd22e0ce3f1aeb6 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38702 – fbdev: fix potential buffer overflow in do_register_framebuffer()
https://notcve.org/view.php?id=CVE-2025-38702
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: fix potential buffer overflow in do_register_framebuffer() The current implementation may lead to buffer overflow when: 1. Unregistration creates NULL gaps in registered_fb[] 2. All array slots become occupied despite num_registered_fb < FB_MAX 3. The registration loop exceeds array bounds Add boundary check to prevent registered_fb[FB_MAX] access. In the Linux kernel, the following vulnerability has been resolved: fbdev: fix potenti... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •