CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40213 – Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete
https://notcve.org/view.php?id=CVE-2025-40213
24 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_mesh_complete() due to double list_del via mgmt_pending_valid + mgmt_pending_remove. Use DEFINE_FLEX to declare the flexible array right, and don't memcpy outside bounds. As mgmt_pending_valid removes the cmd from list, use mgmt_pendin... • https://git.kernel.org/stable/c/302a1f674c00dd5581ab8e493ef44767c5101aab •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40212 – nfsd: fix refcount leak in nfsd_set_fh_dentry()
https://notcve.org/view.php?id=CVE-2025-40212
24 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 uses the MOUNT protocol to find those exported filesystems and so is not given access to the pseudo root filesystem. If a v3 (or v2) client uses a filehandle from that filesystem, nfsd_set_fh_dentry() will report an error, but still s... • https://git.kernel.org/stable/c/ef7f6c4904d03ccd7478e1ac20ed75f79c4ac444 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40211 – ACPI: video: Fix use-after-free in acpi_video_switch_brightness()
https://notcve.org/view.php?id=CVE-2025-40211
21 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during device removal. If the work executes after acpi_video_bus_unregister_backlight() frees these resources, it causes a use-after-free when acpi_video_switch_brightness() dereferences device->brightness or device->backlight. Fix this by ... • https://git.kernel.org/stable/c/8ab58e8e7e097bae5fe39cbc67eb93a91f7134b7 •
CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40210 – Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"
https://notcve.org/view.php?id=CVE-2025-40210
21 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug into it a little, but I haven't been able to root-cause it yet. However, I bisected to commit 48aab1606fa8 ("NFSD: Remove the cap on number of operations per NFSv4 COMPOUND"). Tianshuo Han also reports a potential vulnerability when deco... • https://git.kernel.org/stable/c/b3ee7ce432289deac87b9d14e01f2fe6958f7f0b •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40209 – btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation
https://notcve.org/view.php?id=CVE-2025-40209
21 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the preallocated qgroup_list structure passed by the caller. This causes a memory leak because the caller unconditionally sets the pointer to NULL after the call, preventing any cleanup. The issue occurs because the level validation check ... • https://git.kernel.org/stable/c/4addc1ffd67ad34394674dc91379dc04cfdd2537 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40208 – media: iris: fix module removal if firmware download failed
https://notcve.org/view.php?id=CVE-2025-40208
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: media: iris: fix module removal if firmware download failed Fix remove if firmware failed to load: qcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2 qcom-iris aa00000.video-codec: firmware download failed qcom-iris aa00000.video-codec: core init failed then: $ echo aa00000.video-codec > /sys/bus/platform/drivers/qcom-iris/unbind Triggers: genpd genpd:1:aa00000.video-codec: Runtime PM usage co... • https://git.kernel.org/stable/c/d7378f84e94e14998b3469dcc0d8ce609d049ccc •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40207 – media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
https://notcve.org/view.php?id=CVE-2025-40207
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc(), but does not check the returned value. If __v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would cause v4l2_subdev_call_state_try() to crash. Add proper error handling to v4l2_subdev_call_state_try(). In the Linux kernel, the following vulnerability has been... • https://git.kernel.org/stable/c/982c0487185bd466059ff618f398a8d074ddb654 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40206 – netfilter: nft_objref: validate objref and objrefmap expressions
https://notcve.org/view.php?id=CVE-2025-40206
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_objref: validate objref and objrefmap expressions Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls: BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) [...] Call Trace: __find_rr_leaf+0x99/0x230 fib6_table_lookup+0x13b/0x2d0 ip6_pol_route+0xa4/0x400 fib6_rule_lookup+0x156/0x240 ip6_route_output_flags+0xc6/0x150 __nf_ip... • https://git.kernel.org/stable/c/ee394f96ad7517fbc0de9106dcc7ce9efb14f264 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40205 – btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
https://notcve.org/view.php?id=CVE-2025-40205
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_... • https://git.kernel.org/stable/c/be6e8dc0ba84029997075a1ec77b4ddb863cbe15 •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40204 – sctp: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2025-40204
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •