CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38704 – rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access
https://notcve.org/view.php?id=CVE-2025-38704
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix possible invalid rdp's->nocb_cb_kthread pointer access In the preparation stage of CPU online, if the corresponding the rdp's->nocb_cb_kthread does not exist, will be created, there is a situation where the rdp's rcuop kthreads creation fails, and then de-offload this CPU's rdp, does not assign this CPU's rdp->nocb_cb_kthread pointer, but this rdp's->nocb_gp_rdp and rdp's->rdp_gp->nocb_gp_kthread is still valid. This will caus... • https://git.kernel.org/stable/c/cce3d027227c69e85896af9fbc6fa9af5c68f067 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-38702 – fbdev: fix potential buffer overflow in do_register_framebuffer()
https://notcve.org/view.php?id=CVE-2025-38702
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: fix potential buffer overflow in do_register_framebuffer() The current implementation may lead to buffer overflow when: 1. Unregistration creates NULL gaps in registered_fb[] 2. All array slots become occupied despite num_registered_fb < FB_MAX 3. The registration loop exceeds array bounds Add boundary check to prevent registered_fb[FB_MAX] access. In the Linux kernel, the following vulnerability has been resolved: fbdev: fix potenti... • https://git.kernel.org/stable/c/5c3f5a25c62230b7965804ce7a2e9305c3ca3961 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38701 – ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr
https://notcve.org/view.php?id=CVE-2025-38701
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: do not BUG when INLINE_DATA_FL lacks system.data xattr A syzbot fuzzed image triggered a BUG_ON in ext4_update_inline_data() when an inode had the INLINE_DATA_FL flag set but was missing the system.data extended attribute. Since this can happen due to a maiciouly fuzzed file system, we shouldn't BUG, but rather, report it as a corrupted file system. Add similar replacements of BUG_ON with EXT4_ERROR_INODE() ii ext4_create_inline_data(... • https://git.kernel.org/stable/c/8085a7324d8ec448c4a764af7853e19bbd64e17a •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38700 – scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated
https://notcve.org/view.php?id=CVE-2025-38700
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: libiscsi: Initialize iscsi_conn->dd_data only if memory is allocated In case of an ib_fast_reg_mr allocation failure during iSER setup, the machine hits a panic because iscsi_conn->dd_data is initialized unconditionally, even when no memory is allocated (dd_size == 0). This leads invalid pointer dereference during connection teardown. Fix by setting iscsi_conn->dd_data only if memory is actually allocated. Panic trace: ------------ is... • https://git.kernel.org/stable/c/f53af99f441ee79599d8df6113a7144d74cf9153 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38699 – scsi: bfa: Double-free fix
https://notcve.org/view.php?id=CVE-2025-38699
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Double-free fix When the bfad_im_probe() function fails during initialization, the memory pointed to by bfad->im is freed without setting bfad->im to NULL. Subsequently, during driver uninstallation, when the state machine enters the bfad_sm_stopping state and calls the bfad_im_probe_undo() function, it attempts to free the memory pointed to by bfad->im again, thereby triggering a double-free vulnerability. Set bfad->im to NULL i... • https://git.kernel.org/stable/c/684c92bb08a25ed3c0356bc7eb532ed5b19588dd •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38698 – jfs: Regular file corruption check
https://notcve.org/view.php?id=CVE-2025-38698
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption check The reproducer builds a corrupted file on disk with a negative i_size value. Add a check when opening this file to avoid subsequent operation failures. In the Linux kernel, the following vulnerability has been resolved: jfs: Regular file corruption check The reproducer builds a corrupted file on disk with a negative i_size value. Add a check when opening this file to avoid subsequent operation failures. Je... • https://git.kernel.org/stable/c/9f896c3d0192241d6438be6963682ace8203f502 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38697 – jfs: upper bound check of tree index in dbAllocAG
https://notcve.org/view.php?id=CVE-2025-38697
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree index in dbAllocAG When computing the tree index in dbAllocAG, we never check if we are out of bounds realative to the size of the stree. This could happen in a scenario where the filesystem metadata are corrupted. In the Linux kernel, the following vulnerability has been resolved: jfs: upper bound check of tree index in dbAllocAG When computing the tree index in dbAllocAG, we never check if we are out of boun... • https://git.kernel.org/stable/c/5bdb9553fb134fd52ec208a8b378120670f6e784 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38696 – MIPS: Don't crash in stack_top() for tasks without ABI or vDSO
https://notcve.org/view.php?id=CVE-2025-38696
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: MIPS: Don't crash in stack_top() for tasks without ABI or vDSO Not all tasks have an ABI associated or vDSO mapped, for example kthreads never do. If such a task ever ends up calling stack_top(), it will derefence the NULL ABI pointer and crash. This can for example happen when using kunit: mips_stack_top+0x28/0xc0 arch_pick_mmap_layout+0x190/0x220 kunit_vm_mmap_init+0xf8/0x138 __kunit_add_resource+0x40/0xa8 kunit_vm_mmap+0x88/0xd8 usercopy... • https://git.kernel.org/stable/c/ab18e48a503230d675e824a0d68a108bdff42503 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38695 – scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure
https://notcve.org/view.php?id=CVE-2025-38695
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Check for hdwq null ptr when cleaning up lpfc_vport structure If a call to lpfc_sli4_read_rev() from lpfc_sli4_hba_setup() fails, the resultant cleanup routine lpfc_sli4_vport_delete_fcp_xri_aborted() may occur before sli4_hba.hdwqs are allocated. This may result in a null pointer dereference when attempting to take the abts_io_buf_list_lock for the first hardware queue. Fix by adding a null ptr check on phba->sli4_hba.hdwq and ... • https://git.kernel.org/stable/c/6711ce7e9de4eb1a541ef30638df1294ea4267f8 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2025-38694 – media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb()
https://notcve.org/view.php?id=CVE-2025-38694
04 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: dvb-frontends: dib7090p: fix null-ptr-deref in dib7090p_rw_on_apb() In dib7090p_rw_on_apb, msg is controlled by user. When msg[0].buf is null and msg[0].len is zero, former checks on msg[0].buf would be passed. If accessing msg[0].buf[2] without sanity check, null pointer deref would happen. We add check on msg[0].len to prevent crash. Similar issue occurs when access msg[1].buf[0] and msg[1].buf[1]. • https://git.kernel.org/stable/c/bc07cae4f36bb18d5b6a9ed835c1278ca44ec82e •