CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2025-38614 – eventpoll: Fix semi-unbounded recursion
https://notcve.org/view.php?id=CVE-2025-38614
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: eventpoll: Fix semi-unbounded recursion Ensure that epoll instances can never form a graph deeper than EP_MAX_NESTS+1 links. Currently, ep_loop_check_proc() ensures that the graph is loop-free and does some recursion depth checks, but those recursion depth checks don't limit the depth of the resulting tree for two reasons: - They don't look upwards in the tree. - If there are multiple downwards paths of different lengths, only one of the pa... • https://git.kernel.org/stable/c/22bacca48a1755f79b7e0f192ddb9fbb7fc6e64e •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38612 – staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc()
https://notcve.org/view.php?id=CVE-2025-38612
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() In the error paths after fb_info structure is successfully allocated, the memory allocated in fb_deferred_io_init() for info->pagerefs is not freed. Fix that by adding the cleanup function on the error path. • https://git.kernel.org/stable/c/c296d5f9957c03994a699d6739c27d4581a9f6c7 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38611 – vmci: Prevent the dispatching of uninitialized payloads
https://notcve.org/view.php?id=CVE-2025-38611
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: vmci: Prevent the dispatching of uninitialized payloads The reproducer executes the host's unlocked_ioctl call in two different tasks. When init_context fails, the struct vmci_event_ctx is not fully initialized when executing vmci_datagram_dispatch() to send events to all vm contexts. This affects the datagram taken from the datagram queue of its context by another task, because the datagram payload is not initialized according to the size ... • https://git.kernel.org/stable/c/28d6692cd8fb2a900edba5e5983be4478756ef6f •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38608 – bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls
https://notcve.org/view.php?id=CVE-2025-38608
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls When sending plaintext data, we initially calculated the corresponding ciphertext length. However, if we later reduced the plaintext data length via socket policy, we failed to recalculate the ciphertext length. This results in transmitting buffers containing uninitialized data during ciphertext transmission. This causes uninitialized bytes to be appended after a complete ... • https://git.kernel.org/stable/c/d3b18ad31f93d0b6bae105c679018a1ba7daa9ca •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38604 – wifi: rtl818x: Kill URBs before clearing tx status queue
https://notcve.org/view.php?id=CVE-2025-38604
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: rtl818x: Kill URBs before clearing tx status queue In rtl8187_stop() move the call of usb_kill_anchored_urbs() before clearing b_tx_status.queue. This change prevents callbacks from using already freed skb due to anchor was not killed before freeing such skb. BUG: kernel NULL pointer dereference, address: 0000000000000080 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000... • https://git.kernel.org/stable/c/c1db52b9d27ee6e15a7136e67e4a21dc916cd07f •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38602 – iwlwifi: Add missing check for alloc_ordered_workqueue
https://notcve.org/view.php?id=CVE-2025-38602
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: iwlwifi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue since it may return NULL pointer. • https://git.kernel.org/stable/c/b481de9ca074528fe8c429604e2777db8b89806a •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38601 – wifi: ath11k: clear initialized flag for deinit-ed srng lists
https://notcve.org/view.php?id=CVE-2025-38601
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: clear initialized flag for deinit-ed srng lists In a number of cases we see kernel panics on resume due to ath11k kernel page fault, which happens under the following circumstances: 1) First ath11k_hal_dump_srng_stats() call Last interrupt received for each group: ath11k_pci 0000:01:00.0: group_id 0 22511ms before ath11k_pci 0000:01:00.0: group_id 1 14440788ms before [..] ath11k_pci 0000:01:00.0: failed to receive control resp... • https://git.kernel.org/stable/c/5118935b1bc28d0bce9427e584e11e905e68ee9a •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2025-38595 – xen: fix UAF in dmabuf_exp_from_pages()
https://notcve.org/view.php?id=CVE-2025-38595
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: xen: fix UAF in dmabuf_exp_from_pages() [dma_buf_fd() fixes; no preferences regarding the tree it goes through - up to xen folks] As soon as we'd inserted a file reference into descriptor table, another thread could close it. That's fine for the case when all we are doing is returning that descriptor to userland (it's a race, but it's a userland race and there's nothing the kernel can do about it). However, if we follow fd_install() with an... • https://git.kernel.org/stable/c/a240d6e42e28c34fdc34b3a98ca838a31c939901 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-38591 – bpf: Reject narrower access to pointer ctx fields
https://notcve.org/view.php?id=CVE-2025-38591
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buff. This access is detected as a narrower read in bpf_skb_is_valid_access because it doesn't match offsetof(struct __sk_buff, sk). It is therefore allowed and later proceeds to bpf_convert_ctx_access. Note that for the "is_na... • https://git.kernel.org/stable/c/f96da09473b52c09125cc9bf7d7d4576ae8229e0 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-38590 – net/mlx5e: Remove skb secpath if xfrm state is not found
https://notcve.org/view.php?id=CVE-2025-38590
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Remove skb secpath if xfrm state is not found Hardware returns a unique identifier for a decrypted packet's xfrm state, this state is looked up in an xarray. However, the state might have been freed by the time of this lookup. Currently, if the state is not found, only a counter is incremented. The secpath (sp) extension on the skb is not removed, resulting in sp->len becoming 0. Subsequently, functions like __xfrm_policy_check()... • https://git.kernel.org/stable/c/b2ac7541e3777f325c49d900550c9e3dd10c0eda •