CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40068 – fs: ntfs3: Fix integer overflow in run_unpack()
https://notcve.org/view.php?id=CVE-2025-40068
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: ntfs3: Fix integer overflow in run_unpack() The MFT record relative to the file being opened contains its runlist, an array containing information about the file's location on the physical disk. Analysis of all Call Stack paths showed that the values of the runlist array, from which LCNs are calculated, are not validated before run_unpack function. The run_unpack function decodes the compressed runlist data format from MFT attributes (f... • https://git.kernel.org/stable/c/4342306f0f0d5ff4315a204d315c1b51b914fca5 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40064 – smc: Fix use-after-free in __pnet_find_base_ndev().
https://notcve.org/view.php?id=CVE-2025-40064
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in __pnet_find_base_ndev(). syzbot reported use-after-free of net_device in __pnet_find_base_ndev(), which was called during connect(). [0] smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes down to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened at __pnet_find_base_ndev() when the dev is first used. This means dev had already been freed before acquiring RTNL in pnet_find_base_ndev(). W... • https://git.kernel.org/stable/c/0afff91c6f5ecef27715ea71e34dc2baacba1060 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40060 – coresight: trbe: Return NULL pointer for allocation failures
https://notcve.org/view.php?id=CVE-2025-40060
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: coresight: trbe: Return NULL pointer for allocation failures When the TRBE driver fails to allocate a buffer, it currently returns the error code "-ENOMEM". However, the caller etm_setup_aux() only checks for a NULL pointer, so it misses the error. As a result, the driver continues and eventually causes a kernel panic. Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on allocation failures. This allows that the callers can ... • https://git.kernel.org/stable/c/3fbf7f011f2426dac8c982f1d2ef469a7959a524 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40057 – ptp: Add a upper bound on max_vclocks
https://notcve.org/view.php?id=CVE-2025-40057
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ptp: Add a upper bound on max_vclocks syzbot reported WARNING in max_vclocks_store. This occurs when the argument max is too large for kcalloc to handle. Extend the guard to guard against values that are too large for kcalloc In the Linux kernel, the following vulnerability has been resolved: ptp: Add a upper bound on max_vclocks syzbot reported WARNING in max_vclocks_store. This occurs when the argument max is too large for kcalloc to hand... • https://git.kernel.org/stable/c/73f37068d540eba5f93ba3a0019bf479d35ebd76 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40055 – ocfs2: fix double free in user_cluster_connect()
https://notcve.org/view.php?id=CVE-2025-40055
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in user_cluster_connect() user_cluster_disconnect() frees "conn->cc_private" which is "lc" but then the error handling frees "lc" a second time. Set "lc" to NULL on this path to avoid a double free. In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix double free in user_cluster_connect() user_cluster_disconnect() frees "conn->cc_private" which is "lc" but then the error handling frees "lc" a... • https://git.kernel.org/stable/c/c994c2ebdbbc391a42f177c8eb7882ebf3f142d8 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40054 – f2fs: fix UAF issue in f2fs_merge_page_bio()
https://notcve.org/view.php?id=CVE-2025-40054
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: f2fs: fix UAF issue in f2fs_merge_page_bio() As JY reported in bugzilla [1], Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 pc : [0xffffffe51d249484] f2fs_is_cp_guaranteed+0x70/0x98 lr : [0xffffffe51d24adbc] f2fs_merge_page_bio+0x520/0x6d4 CPU: 3 UID: 0 PID: 6790 Comm: kworker/u16:3 Tainted: P B W OE 6.12.30-android16-5-maybe-dirty-4k #1 5f7701c9cbf727d1eebe77c89bbbeb3371e895e5 Tainted: [P]=PROPRIETARY_... • https://git.kernel.org/stable/c/0b20fcec8651569935a10afe03fedc0b812d044e •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40053 – net: dlink: handle copy_thresh allocation failure
https://notcve.org/view.php?id=CVE-2025-40053
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh allocation failure The driver did not handle failure of `netdev_alloc_skb_ip_align()`. If the allocation failed, dereferencing `skb->protocol` could lead to a NULL pointer dereference. This patch tries to allocate `skb`. If the allocation fails, it falls back to the normal path. Tested-on: D-Link DGE-550T Rev-A3 In the Linux kernel, the following vulnerability has been resolved: net: dlink: handle copy_thresh ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40049 – Squashfs: fix uninit-value in squashfs_get_parent
https://notcve.org/view.php?id=CVE-2025-40049
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: fix uninit-value in squashfs_get_parent Syzkaller reports a "KMSAN: uninit-value in squashfs_get_parent" bug. This is caused by open_by_handle_at() being called with a file handle containing an invalid parent inode number. In particular the inode number is that of a symbolic link, rather than a directory. Squashfs_get_parent() gets called with that symbolic link inode, and accesses the parent member field. unsigned int parent_ino ... • https://git.kernel.org/stable/c/122601408d20c77704268f1dea9f9ce4abf997c2 •
CVSS: 8.4EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40048 – uio_hv_generic: Let userspace take care of interrupt mask
https://notcve.org/view.php?id=CVE-2025-40048
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Let userspace take care of interrupt mask Remove the logic to set interrupt mask by default in uio_hv_generic driver as the interrupt mask value is supposed to be controlled completely by the user space. If the mask bit gets changed by the driver, concurrently with user mode operating on the ring, the mask bit may be set when it is supposed to be clear, and the user-mode driver will miss an interrupt which will cause a hang.... • https://git.kernel.org/stable/c/95096f2fbd10186d3e78a328b327afc71428f65f •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40044 – fs: udf: fix OOB read in lengthAllocDescs handling
https://notcve.org/view.php?id=CVE-2025-40044
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: udf: fix OOB read in lengthAllocDescs handling When parsing Allocation Extent Descriptor, lengthAllocDescs comes from on-disk data and must be validated against the block size. Crafted or corrupted images may set lengthAllocDescs so that the total descriptor length (sizeof(allocExtDesc) + lengthAllocDescs) exceeds the buffer, leading udf_update_tag() to call crc_itu_t() on out-of-bounds memory and trigger a KASAN use-after-free read. BU... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •