CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-40105 – vfs: Don't leak disconnected dentries on umount
https://notcve.org/view.php?id=CVE-2025-40105
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: vfs: Don't leak disconnected dentries on umount When user calls open_by_handle_at() on some inode that is not cached, we will create disconnected dentry for it. If such dentry is a directory, exportfs_decode_fh_raw() will then try to connect this dentry to the dentry tree through reconnect_path(). It may happen for various reasons (such as corrupted fs or race with rename) that the call to lookup_one_unlocked() in reconnect_one() will fail ... • https://git.kernel.org/stable/c/f1ee616214cb22410e939d963bbb2349c2570f02 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-40104 – ixgbevf: fix mailbox API compatibility by negotiating supported features
https://notcve.org/view.php?id=CVE-2025-40104
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ixgbevf: fix mailbox API compatibility by negotiating supported features There was backward compatibility in the terms of mailbox API. Various drivers from various OSes supporting 10G adapters from Intel portfolio could easily negotiate mailbox API. This convention has been broken since introducing API 1.4. Commit 0062e7cc955e ("ixgbevf: add VF IPsec offload code") added support for IPSec which is specific only for the kernel ixgbe driver. ... • https://git.kernel.org/stable/c/0062e7cc955e0827a88570ed36ea511a7dcb391e •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-40103 – smb: client: Fix refcount leak for cifs_sb_tlink
https://notcve.org/view.php?id=CVE-2025-40103
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: Fix refcount leak for cifs_sb_tlink Fix three refcount inconsistency issues related to `cifs_sb_tlink`. Comments for `cifs_sb_tlink` state that `cifs_put_tlink()` needs to be called after successful calls to `cifs_sb_tlink()`. Three calls fail to update refcount accordingly, leading to possible resource leaks. • https://git.kernel.org/stable/c/8ceb984379462f94bdebef3288d569c6e1f912ea •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-40102 – KVM: arm64: Prevent access to vCPU events before init
https://notcve.org/view.php?id=CVE-2025-40102
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM erroneously allows userspace to pend vCPU events for a vCPU that hasn't been initialized yet, leading to KVM interpreting a bunch of uninitialized garbage for routing / injecting the exception. In one case the injection code and the hyp disagree on whether the vCPU has a 32bit EL1 and put the vCPU into an illegal mode for AArch64, tripping the BUG(... • https://git.kernel.org/stable/c/b7b27facc7b50a5fce0afaa3df56157136ce181a •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-40100 – btrfs: do not assert we found block group item when creating free space tree
https://notcve.org/view.php?id=CVE-2025-40100
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: do not assert we found block group item when creating free space tree Currently, when building a free space tree at populate_free_space_tree(), if we are not using the block group tree feature, we always expect to find block group items (either extent items or a block group item with key type BTRFS_BLOCK_GROUP_ITEM_KEY) when we search the extent tree with btrfs_search_slot_for_read(), so we assert that we found an item. However this ... • https://git.kernel.org/stable/c/a5ed91828518ab076209266c2bc510adabd078df •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-40099 – cifs: parse_dfs_referrals: prevent oob on malformed input
https://notcve.org/view.php?id=CVE-2025-40099
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: parse_dfs_referrals: prevent oob on malformed input Malicious SMB server can send invalid reply to FSCTL_DFS_GET_REFERRALS - reply smaller than sizeof(struct get_dfs_referral_rsp) - reply with number of referrals smaller than NumberOfReferrals in the header Processing of such replies will cause oob. Return -EINVAL error on such replies to prevent oob-s. • https://git.kernel.org/stable/c/cfacc7441f760e4a73cc71b6ff1635261d534657 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-40098 – ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state()
https://notcve.org/view.php?id=CVE-2025-40098
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l41: Fix NULL pointer dereference in cs35l41_get_acpi_mute_state() Return value of a function acpi_evaluate_dsm() is dereferenced without checking for NULL, but it is usually checked for this function. acpi_evaluate_dsm() may return NULL, when acpi_evaluate_object() returns acpi_status other than ACPI_SUCCESS, so add a check to prevent the crach. Found by Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/447106e92a0c86c332d40710436f38f64c322cd6 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2025-40097 – ALSA: hda: Fix missing pointer check in hda_component_manager_init function
https://notcve.org/view.php?id=CVE-2025-40097
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix missing pointer check in hda_component_manager_init function The __component_match_add function may assign the 'matchptr' pointer the value ERR_PTR(-ENOMEM), which will subsequently be dereferenced. The call stack leading to the error looks like this: hda_component_manager_init |-> component_match_add |-> component_match_add_release |-> __component_match_add ( ... ,**matchptr, ... ) |-> *matchptr = ERR_PTR(-ENOMEM); // assign... • https://git.kernel.org/stable/c/ae7abe36e352eddf8e30d3b1ea3fb402514ba13b •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-40096 – drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies
https://notcve.org/view.php?id=CVE-2025-40096
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix potential double free in drm_sched_job_add_resv_dependencies When adding dependencies with drm_sched_job_add_dependency(), that function consumes the fence reference both on success and failure, so in the latter case the dma_fence_put() on the error path (xarray failed to expand) is a double free. Interestingly this bug appears to have been present ever since commit ebd5f74255b9 ("drm/sched: Add dependency tracking"), since t... • https://git.kernel.org/stable/c/963d0b3569354230f6e2c36a286ef270a8901878 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2025-40095 – usb: gadget: f_rndis: Refactor bind path to use __free()
https://notcve.org/view.php?id=CVE-2025-40095
30 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_rndis: Refactor bind path to use __free() After an bind/unbind cycle, the rndis->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL pointer dereference when accessing ep->ops->free_request. Refactor the error handling in the bind path to use the __free() automatic cleanup mechanism. • https://git.kernel.org/stable/c/45fe3b8e5342cd1ce307099459c74011d8e01986 •