CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39885 – ocfs2: fix recursive semaphore deadlock in fiemap call
https://notcve.org/view.php?id=CVE-2025-39885
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix recursive semaphore deadlock in fiemap call syzbot detected a OCFS2 hang due to a recursive semaphore on a FS_IOC_FIEMAP of the extent list on a specially crafted mmap file. context_switch kernel/sched/core.c:5357 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:6961 __schedule_loop kernel/sched/core.c:7043 [inline] schedule+0x165/0x360 kernel/sched/core.c:7058 schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:7115 rws... • https://git.kernel.org/stable/c/00dc417fa3e763345b34ccb6034d72de76eea0a1 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39883 – mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory
https://notcve.org/view.php?id=CVE-2025-39883
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory When I did memory failure tests, below panic occurs: page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) kernel BUG at include/linux/page-flags.h:616! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 PID: 720 Comm: bash Not tainted 6.10.0-rc1-00195-g148743902568 #40 RIP: 0010:unpoison_memory+0x2f3/0x590 RSP: 0018:ffffa57fc8787d60 EFLAGS: 00000246 RAX:... • https://git.kernel.org/stable/c/f1dd2cd13c4bbbc9a7c4617b3b034fa643de98fe •
CVSS: 5.5EPSS: 0%CPEs: 11EXPL: 0CVE-2025-39876 – net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable()
https://notcve.org/view.php?id=CVE-2025-39876
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() The function of_phy_find_device may return NULL, so we need to take care before dereferencing phy_dev. In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() The function of_phy_find_device may return NULL, so we need to take care before dereferencing phy_dev. The SUSE Linux Enterprise 15 SP6 A... • https://git.kernel.org/stable/c/9e70485b40c8306298adea8bdc867ca27f88955a •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39873 – can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB
https://notcve.org/view.php?id=CVE-2025-39873
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB can_put_echo_skb() takes ownership of the SKB and it may be freed during or after the call. However, xilinx_can xcan_write_frame() keeps using SKB after the call. Fix that by only calling can_put_echo_skb() after the code is done touching the SKB. The tx_lock is held for the entire xcan_write_frame() execution and also on the can_get_echo_skb() side so the order of o... • https://git.kernel.org/stable/c/1598efe57b3e768056e4ca56cb9cf33111e68d1c •
CVSS: 7.2EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39869 – dmaengine: ti: edma: Fix memory allocation size for queue_priority_map
https://notcve.org/view.php?id=CVE-2025-39869
23 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Fix a critical memory allocation bug in edma_setup_from_hw() where queue_priority_map was allocated with insufficient memory. The code declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8), but allocated memory using sizeof(s8) instead of the correct size. This caused out-of-bounds memory writes when accessing: queue_priority_map[i][0] = i; queue_priority_m... • https://git.kernel.org/stable/c/2b6b3b7420190888793c49e97276e1e73bd7eaed •
CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 1CVE-2025-39866 – fs: writeback: fix use-after-free in __mark_inode_dirty()
https://notcve.org/view.php?id=CVE-2025-39866
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __mark_inode_dirty+0x124/0x418 lr : __mark_inode_dirty+0x118/0x418 sp : ffffffc08c9dbbc0 ........ Call trace: __mark... • https://packetstorm.news/files/id/209969 •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-39865 – tee: fix NULL pointer dereference in tee_shm_put
https://notcve.org/view.php?id=CVE-2025-39865
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to handle kernel paging request at virtual address 0000000000100cca Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 ... • https://git.kernel.org/stable/c/c05d8f66ec3470e5212c4d08c46d6cb5738d600d •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-39864 – wifi: cfg80211: fix use-after-free in cmp_bss()
https://notcve.org/view.php?id=CVE-2025-39864
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding 'hidden_beacon_bss' pointer. In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_fr... • https://git.kernel.org/stable/c/3ab8227d3e7d1d2bf1829675d3197e3cb600e9f6 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-39863 – wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work
https://notcve.org/view.php?id=CVE-2025-39863
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical race conditions: 1.If brcmf_btcoex_detach() is called while brcmf_btcoex_timerfunc() is executing, it may observe timer_on as false and skip the call to timer_shut... • https://git.kernel.org/stable/c/61730d4dfffc2cc9d3a49fad87633008105c18ba • CWE-416: Use After Free •
CVSS: 7.2EPSS: 0%CPEs: 11EXPL: 0CVE-2025-39860 – Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen()
https://notcve.org/view.php?id=CVE-2025-39860
19 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat below without a repro. In the splat, a single thread calling bt_accept_dequeue() freed sk and touched it after that. The root cause would be the racy l2cap_sock_cleanup_listen() call added by the cited commit. bt_accept_dequeue() is called under lock_sock() except for l2cap_sock_release(). Two threads could see the same socket during the list iteration in... • https://git.kernel.org/stable/c/a2da00d1ea1abfb04f846638e210b5b5166e3c9c •