CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2025-40308 – Bluetooth: bcsp: receive data only if registered
https://notcve.org/view.php?id=CVE-2025-40308
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following stack trace: KASAN: null-ptr-deref in range [0x0000000000000108-0x000000000000010f] RIP: 0010:bcsp_recv+0x13d/0x1740 drivers/bluetooth/hci_bcsp.c:590 Call Trace:
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40307 – exfat: validate cluster allocation bits of the allocation bitmap
https://notcve.org/view.php?id=CVE-2025-40307
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking this. The problem is that if the start cluster of the allocation bitmap is 6, cluster 6 can be allocated when creating a directory with mkdir. exfat zeros out this cluster in exfat_mkdir, which can delete existing entries. This can r... • https://git.kernel.org/stable/c/1acf1a564b6034b5af1e7fb23cb98cb3bb4f6003 •
CVSS: 5.6EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40306 – orangefs: fix xattr related buffer overflow...
https://notcve.org/view.php?id=CVE-2025-40306
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40304 – fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds
https://notcve.org/view.php?id=CVE-2025-40304
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: Add bounds checking in bit_putcs to fix vmalloc-out-of-bounds Add bounds checking to prevent writes past framebuffer boundaries when rendering text near screen edges. Return early if the Y position is off-screen and clip image height to screen boundary. Break from the rendering loop if the X position is off-screen. When clipping image width to fit the screen, update the character count to match the clipped width to prevent buffer siz... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40303 – btrfs: ensure no dirty metadata is written back for an fs with errors
https://notcve.org/view.php?id=CVE-2025-40303
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: ensure no dirty metadata is written back for an fs with errors [BUG] During development of a minor feature (make sure all btrfs_bio::end_io() is called in task context), I noticed a crash in generic/388, where metadata writes triggered new works after btrfs_stop_all_workers(). It turns out that it can even happen without any code modification, just using RAID5 for metadata and the same workload from generic/388 is going to trigger th... • https://git.kernel.org/stable/c/13e6c37b989859e70b0d73d3f2cb0aa022159b17 •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40301 – Bluetooth: hci_event: validate skb length for unknown CC opcode
https://notcve.org/view.php?id=CVE-2025-40301
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: validate skb length for unknown CC opcode In hci_cmd_complete_evt(), if the command complete event has an unknown opcode, we assume the first byte of the remaining skb->data contains the return status. However, parameter data has previously been pulled in hci_event_func(), which may leave the skb empty. If so, using skb->data[0] for the return status uses un-init memory. The fix is to check skb->len before using skb->d... • https://git.kernel.org/stable/c/afcb3369f46ed5dc883a7b92f2dd1e264d79d388 •
CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40297 – net: bridge: fix use-after-free due to MST port state bypass
https://notcve.org/view.php?id=CVE-2025-40297
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix use-after-free due to MST port state bypass syzbot reported[1] a use-after-free when deleting an expired fdb. It is due to a race condition between learning still happening and a port being deleted, after all its fdbs have been flushed. The port's state has been toggled to disabled so no learning should happen at that time, but if we have MST enabled, it will bypass the port's state, that together with VLAN filtering disabl... • https://git.kernel.org/stable/c/ec7328b59176227216c461601c6bd0e922232a9b •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40294 – Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern()
https://notcve.org/view.php?id=CVE-2025-40294
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Fix OOB access in parse_adv_monitor_pattern() In the parse_adv_monitor_pattern() function, the value of the 'length' variable is currently limited to HCI_MAX_EXT_AD_LENGTH(251). The size of the 'value' array in the mgmt_adv_pattern structure is 31. If the value of 'pattern[i].length' is set in the user space and exceeds 31, the 'patterns[i].value' array can be accessed out of bound when copied. Increasing the size of the 'v... • https://git.kernel.org/stable/c/99f30e12e588f9982a6eb1916e53510bff25b3b8 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40293 – iommufd: Don't overflow during division for dirty tracking
https://notcve.org/view.php?id=CVE-2025-40293
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow to 0 and this triggers divide by 0. In this case the index should just be 0, so reorganize things to divide by shift and avoid hitting any overflows. In the Linux kernel, the following vulnerability has been resolved: iommufd: Don't overflow during division for dirty tracking If pgshift is 63 then BITS_PER_T... • https://git.kernel.org/stable/c/58ccf0190d19d9a8a41f8a02b9e06742b58df4a1 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40292 – virtio-net: fix received length check in big packets
https://notcve.org/view.php?id=CVE-2025-40292
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix received length check in big packets Since commit 4959aebba8c0 ("virtio-net: use mtu size as buffer length for big packets"), when guest gso is off, the allocated size for big packets is not MAX_SKB_FRAGS * PAGE_SIZE anymore but depends on negotiated MTU. The number of allocated frags for big packets is stored in vi->big_packets_num_skbfrags. Because the host announced buffer length can be malicious (e.g. the host vhost_net ... • https://git.kernel.org/stable/c/4959aebba8c06992abafa09d1e80965e0825af54 •