CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2025-38553 – net/sched: Restrict conditions for adding duplicating netems to qdisc tree
https://notcve.org/view.php?id=CVE-2025-38553
19 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: Restrict conditions for adding duplicating netems to qdisc tree netem_enqueue's duplication prevention logic breaks when a netem resides in a qdisc tree with other netems - this can lead to a soft lockup and OOM loop in netem_dequeue, as seen in [1]. Ensure that a duplicating netem cannot exist in a tree with other netems. Previous approaches suggested in discussions in chronological order: 1) Track duplication status or ttl in t... • https://git.kernel.org/stable/c/0afb51e72855971dba83b3c6b70c547c2d1161fd •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2023-4130 – ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea()
https://notcve.org/view.php?id=CVE-2023-4130
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix wrong next length validation of ea buffer in smb2_set_ea() There are multiple smb2_ea_info buffers in FILE_FULL_EA_INFORMATION request from client. ksmbd find next smb2_ea_info using ->NextEntryOffset of current smb2_ea_info. ksmbd need to validate buffer length Before accessing the next ea. ksmbd should check buffer length using buf_len, not next variable. next is the start offset of current ea that got from previous ea. In the ... • https://git.kernel.org/stable/c/0626e6641f6b467447c81dd7678a69c66f7746cf •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2023-4515 – ksmbd: validate command request size
https://notcve.org/view.php?id=CVE-2023-4515
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate command request size In commit 2b9b8f3b68ed ("ksmbd: validate command payload size"), except for SMB2_OPLOCK_BREAK_HE command, the request size of other commands is not checked, it's not expected. Fix it by add check for request size of other commands. In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate command request size In commit 2b9b8f3b68ed ("ksmbd: validate command payload size"), excep... • https://git.kernel.org/stable/c/35f450f54dca1519bb24faacd0428db09f89a11f •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38552 – mptcp: plug races between subflow fail and subflow creation
https://notcve.org/view.php?id=CVE-2025-38552
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: mptcp: plug races between subflow fail and subflow creation We have races similar to the one addressed by the previous patch between subflow failing and additional subflow creation. They are just harder to trigger. The solution is similar. Use a separate flag to track the condition 'socket state prevent any additional subflow creation' protected by the fallback lock. The socket fallback makes such flag true, and also receiving or sending an... • https://git.kernel.org/stable/c/478d770008b03ed9d74bdc8add2315b7fd124ecc •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38551 – virtio-net: fix recursived rtnl_lock() during probe()
https://notcve.org/view.php?id=CVE-2025-38551
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: virtio-net: fix recursived rtnl_lock() during probe() The deadlock appears in a stack trace like: virtnet_probe() rtnl_lock() virtio_config_changed_work() netdev_notify_peers() rtnl_lock() It happens if the VMM sends a VIRTIO_NET_S_ANNOUNCE request while the virtio-net driver is still probing. The config_work in probe() will get scheduled until virtnet_open() enables the config change notification via virtio_config_driver_enable(). In the L... • https://git.kernel.org/stable/c/df28de7b00502761eba62490f413c65c9b175ed9 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38550 – ipv6: mcast: Delay put pmc->idev in mld_del_delrec()
https://notcve.org/view.php?id=CVE-2025-38550
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() does, the reference should be put after ip6_mc_clear_src() return. In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: Delay put pmc->idev in mld_del_delrec() pmc->idev is still used in ip6_mc_clear_src(), so as mld_clear_delrec() does, the reference should be put after ip6_mc_clear_src() ... • https://git.kernel.org/stable/c/63ed8de4be81b699ca727e9f8e3344bd487806d7 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38549 – efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths
https://notcve.org/view.php?id=CVE-2025-38549
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths When processing mount options, efivarfs allocates efivarfs_fs_info (sfi) early in fs_context initialization. However, sfi is associated with the superblock and typically freed when the superblock is destroyed. If the fs_context is released (final put) before fill_super is called—such as on error paths or during reconfiguration—the sfi structure would leak, as ownership ... • https://git.kernel.org/stable/c/5329aa5101f73c451bcd48deaf3f296685849d9c •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38548 – hwmon: (corsair-cpro) Validate the size of the received input buffer
https://notcve.org/view.php?id=CVE-2025-38548
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (corsair-cpro) Validate the size of the received input buffer Add buffer_recv_size to store the size of the received bytes. Validate buffer_recv_size in send_usb_cmd(). In the Linux kernel, the following vulnerability has been resolved: hwmon: (corsair-cpro) Validate the size of the received input buffer Add buffer_recv_size to store the size of the received bytes. Validate buffer_recv_size in send_usb_cmd(). • https://git.kernel.org/stable/c/40c3a445422579db8ad96c234dbe6c0ab3f6b936 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38547 – iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps
https://notcve.org/view.php?id=CVE-2025-38547
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps The AXP717 ADC channel maps is missing a sentinel entry at the end. This causes a KASAN warning. Add the missing sentinel entry. In the Linux kernel, the following vulnerability has been resolved: iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps The AXP717 ADC channel maps is missing a sentinel entry at the end. This causes a KASAN warning. • https://git.kernel.org/stable/c/5ba0cb92584ba5e107c97001e09013c1da0772a8 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38546 – atm: clip: Fix memory leak of struct clip_vcc.
https://notcve.org/view.php?id=CVE-2025-38546
16 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: atm: clip: Fix memory leak of struct clip_vcc. ioctl(ATMARP_MKIP) allocates struct clip_vcc and set it to vcc->user_back. The code assumes that vcc_destroy_socket() passes NULL skb to vcc->push() when the socket is close()d, and then clip_push() frees clip_vcc. However, ioctl(ATMARPD_CTRL) sets NULL to vcc->push() in atm_init_atmarp(), resulting in memory leak. Let's serialise two ioctl() by lock_sock() and check vcc->push() in atm_init_atm... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •