CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21796 – nfsd: clear acl_access/acl_default after releasing them
https://notcve.org/view.php?id=CVE-2025-21796
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nfsd: clear acl_access/acl_default after releasing them If getting acl_default fails, acl_access and acl_default will be released simultaneously. However, acl_access will still retain a pointer pointing to the released posix_acl, which will trigger a WARNING in nfs3svc_release_getacl like this: ------------[ cut here ]------------ refcount_t: underflow; use-after-free. WARNING: CPU: 26 PID: 3199 at lib/refcount.c:28 refcount_warn_saturate+0... • https://git.kernel.org/stable/c/a257cdd0e2179630d3201c32ba14d7fcb3c3a055 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2025-21795 – NFSD: fix hang in nfsd4_shutdown_callback
https://notcve.org/view.php?id=CVE-2025-21795
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: NFSD: fix hang in nfsd4_shutdown_callback If nfs4_client is in courtesy state then there is no point to send the callback. This causes nfsd4_shutdown_callback to hang since cl_cb_inflight is not 0. This hang lasts about 15 minutes until TCP notifies NFSD that the connection was dropped. This patch modifies nfsd4_run_cb_work to skip the RPC call if nfs4_client is in courtesy state. • https://git.kernel.org/stable/c/66af25799940b26efd41ea6e648f75c41a48a2c2 •
CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2025-21792 – ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt
https://notcve.org/view.php?id=CVE-2025-21792
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt If an AX25 device is bound to a socket by setting the SO_BINDTODEVICE socket option, a refcount leak will occur in ax25_release(). Commit 9fd75b66b8f6 ("ax25: Fix refcount leaks caused by ax25_cb_del()") added decrement of device refcounts in ax25_release(). In order for that to work correctly the refcounts must already be incremented when the device is bound to the socket. A... • https://git.kernel.org/stable/c/9fd75b66b8f68498454d685dc4ba13192ae069b0 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21791 – vrf: use RCU protection in l3mdev_l3_out()
https://notcve.org/view.php?id=CVE-2025-21791
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF. • https://git.kernel.org/stable/c/a8e3e1a9f02094145580ea7920c6a1d9aabd5539 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21790 – vxlan: check vxlan_vnigroup_init() return value
https://notcve.org/view.php?id=CVE-2025-21790
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: vxlan: check vxlan_vnigroup_init() return value vxlan_init() must check vxlan_vnigroup_init() success otherwise a crash happens later, spotted by syzbot. Oops: general protection fault, probably for non-canonical address 0xdffffc000000002c: 0000 [#1] PREEMPT SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000160-0x0000000000000167] CPU: 0 UID: 0 PID: 7313 Comm: syz-executor147 Not tainted 6.14.0-rc1-syzkaller-00276-g69b54314c975... • https://git.kernel.org/stable/c/f9c4bb0b245cee35ef66f75bf409c9573d934cf9 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21787 – team: better TEAM_OPTION_TYPE_STRING validation
https://notcve.org/view.php?id=CVE-2025-21787
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: team: better TEAM_OPTION_TYPE_STRING validation syzbot reported following splat [1] Make sure user-provided data contains one nul byte. [1] BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:633 [inline] BUG: KMSAN: uninit-value in string+0x3ec/0x5f0 lib/vsprintf.c:714 string_nocheck lib/vsprintf.c:633 [inline] string+0x3ec/0x5f0 lib/vsprintf.c:714 vsnprintf+0xa5d/0x1960 lib/vsprintf.c:2843 __request_module+0x252/0x9f0 kernel/module/... • https://git.kernel.org/stable/c/3d249d4ca7d0ed6629a135ea1ea21c72286c0d80 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21786 – workqueue: Put the pwq after detaching the rescuer from the pool
https://notcve.org/view.php?id=CVE-2025-21786
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: workqueue: Put the pwq after detaching the rescuer from the pool The commit 68f83057b913("workqueue: Reap workers via kthread_stop() and remove detach_completion") adds code to reap the normal workers but mistakenly does not handle the rescuer and also removes the code waiting for the rescuer in put_unbound_pool(), which caused a use-after-free bug reported by Cheung Wall. To avoid the use-after-free bug, the pool’s reference must be held u... • https://git.kernel.org/stable/c/e7c16028a424dd35be1064a68fa318be4359310f •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21785 – arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array
https://notcve.org/view.php?id=CVE-2025-21785
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Avoid out-of-bounds write to cacheinfo array The loop that detects/populates cache information already has a bounds check on the array size but does not account for cache levels with separate data/instructions cache. Fix this by incrementing the index for any populated leaf (instead of any populated level). • https://git.kernel.org/stable/c/5d425c18653731af62831d30a4fa023d532657a9 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21782 – orangefs: fix a oob in orangefs_debug_write
https://notcve.org/view.php?id=CVE-2025-21782
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: orangefs: fix a oob in orangefs_debug_write I got a syzbot report: slab-out-of-bounds Read in orangefs_debug_write... several people suggested fixes, I tested Al Viro's suggestion and made this patch. • https://git.kernel.org/stable/c/1da2697307dad281dd690a19441b5ca4af92d786 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21781 – batman-adv: fix panic during interface removal
https://notcve.org/view.php?id=CVE-2025-21781
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix panic during interface removal Reference counting is used to ensure that batadv_hardif_neigh_node and batadv_hard_iface are not freed before/during batadv_v_elp_throughput_metric_update work is finished. But there isn't a guarantee that the hard if will remain associated with a soft interface up until the work is finished. This fixes a crash triggered by reboot that looks like this: Call trace: batadv_v_mesh_free+0xd0/0x4dc ... • https://git.kernel.org/stable/c/c833484e5f3872a38fe232c663586069d5ad9645 •