CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38082 – gpio: virtuser: fix potential out-of-bound write
https://notcve.org/view.php?id=CVE-2025-38082
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix potential out-of-bound write If the caller wrote more characters, count is truncated to the max available space in "simple_write_to_buffer". Check that the input size does not exceed the buffer size. Write a zero termination afterwards. • https://git.kernel.org/stable/c/afe090366f470f77e140ff3407db813f57852c04 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38081 – spi-rockchip: Fix register out of bounds access
https://notcve.org/view.php?id=CVE-2025-38081
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense. • https://git.kernel.org/stable/c/4a120221661fcecb253448d7b041a52d47f1d91f •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38080 – drm/amd/display: Increase block_sequence array size
https://notcve.org/view.php?id=CVE-2025-38080
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to b... • https://git.kernel.org/stable/c/de67e80ab48f1f23663831007a2fa3c1471a7757 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38079 – crypto: algif_hash - fix double free in hash_accept
https://notcve.org/view.php?id=CVE-2025-38079
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - fix double free in hash_accept If accept(2) is called on socket type algif_hash with MSG_MORE flag set and crypto_ahash_import fails, sk2 is freed. However, it is also freed in af_alg_release, leading to slab-use-after-free error. • https://git.kernel.org/stable/c/fe869cdb89c95d060c77eea20204d6c91f233b53 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38078 – ALSA: pcm: Fix race of buffer access at PCM OSS layer
https://notcve.org/view.php?id=CVE-2025-38078
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix race of buffer access at PCM OSS layer The PCM OSS layer tries to clear the buffer with the silence data at initialization (or reconfiguration) of a stream with the explicit call of snd_pcm_format_set_silence() with runtime->dma_area. But this may lead to a UAF because the accessed runtime->dma_area might be freed concurrently, as it's performed outside the PCM ops. For avoiding it, move the code into the PCM core and perform... • https://git.kernel.org/stable/c/c0e05a76fc727929524ef24a19c302e6dd40233f •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38077 – platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()
https://notcve.org/view.php?id=CVE-2025-38077
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index 'length - 1' will result in a buffer overflow. Add a check for an empty string. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/e8a60aa7404bfef37705da5607c97737073ac38d •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-38076 – alloc_tag: allocate percpu counters for module tags dynamically
https://notcve.org/view.php?id=CVE-2025-38076
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: alloc_tag: allocate percpu counters for module tags dynamically When a module gets unloaded it checks whether any of its tags are still in use and if so, we keep the memory containing module's allocation tags alive until all tags are unused. However percpu counters referenced by the tags are freed by free_module(). This will lead to UAF if the memory allocated by a module is accessed after module was unloaded. To fix this we allocate percpu... • https://git.kernel.org/stable/c/0db6f8d7820a4b788565dac8eed52bfc2c3216da •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38075 – scsi: target: iscsi: Fix timeout on deleted connection
https://notcve.org/view.php?id=CVE-2025-38075
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix timeout on deleted connection NOPIN response timer may expire on a deleted connection and crash with such logs: Did not receive response to NOPIN on CID: 0, failing connection for I_T Nexus (null),i,0x00023d000125,iqn.2017-01.com.iscsi.target,t,0x3d BUG: Kernel NULL pointer dereference on read at 0x00000000 NIP strlcpy+0x8/0xb0 LR iscsit_fill_cxn_timeout_err_stats+0x5c/0xc0 [iscsi_target_mod] Call Trace: iscsit_hand... • https://git.kernel.org/stable/c/571ce6b6f5cbaf7d24af03cad592fc0e2a54de35 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38074 – vhost-scsi: protect vq->log_used with vq->mutex
https://notcve.org/view.php?id=CVE-2025-38074
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: vhost-scsi: protect vq->log_used with vq->mutex The vhost-scsi completion path may access vq->log_base when vq->log_used is already set to false. vhost-thread QEMU-thread vhost_scsi_complete_cmd_work() -> vhost_add_used() -> vhost_add_used_n() if (unlikely(vq->log_used)) QEMU disables vq->log_used via VHOST_SET_VRING_ADDR. mutex_lock(&vq->mutex); vq->log_used = false now! mutex_unlock(&vq->mutex); QEMU gfree(vq->log_base) log_used() -> log_... • https://git.kernel.org/stable/c/ca85c2d0db5f8309832be45858b960d933c2131c •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2025-38073 – block: fix race between set_blocksize and read paths
https://notcve.org/view.php?id=CVE-2025-38073
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: block: fix race between set_blocksize and read paths With the new large sector size support, it's now the case that set_blocksize can change i_blksize and the folio order in a manner that conflicts with a concurrent reader and causes a kernel crash. Specifically, let's say that udev-worker calls libblkid to detect the labels on a block device. The read call can create an order-0 folio to read the first 4096 bytes from the disk. But then ude... • https://git.kernel.org/stable/c/64f505b08e0cfd8163491c8c082d4f47a88e51d4 •