CVSS: 5.6EPSS: %CPEs: 4EXPL: 0CVE-2025-38675 – xfrm: state: initialize state_ptrs earlier in xfrm_state_find
https://notcve.org/view.php?id=CVE-2025-38675
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: xfrm: state: initialize state_ptrs earlier in xfrm_state_find In case of preemption, xfrm_state_look_at will find a different pcpu_id and look up states for that other CPU. If we matched a state for CPU2 in the state_cache while the lookup started on CPU1, we will jump to "found", but the "best" state that we got will be ignored and we will enter the "acquire" block. This block uses state_ptrs, which isn't initialized at this point. Let's i... • https://git.kernel.org/stable/c/a16871c7832ea6435abb6e0b58289ae7dcb7e4fc •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-38674 – Revert "drm/prime: Use dma_buf from GEM object instance"
https://notcve.org/view.php?id=CVE-2025-38674
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "drm/prime: Use dma_buf from GEM object instance" This reverts commit f83a9b8c7fd0557b0c50784bfdc1bbe9140c9bf8. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") an... • https://git.kernel.org/stable/c/f83a9b8c7fd0557b0c50784bfdc1bbe9140c9bf8 •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-38673 – Revert "drm/gem-framebuffer: Use dma_buf from GEM object instance"
https://notcve.org/view.php?id=CVE-2025-38673
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "drm/gem-framebuffer: Use dma_buf from GEM object instance" This reverts commit cce16fcd7446dcff7480cd9d2b6417075ed81065. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebu... • https://git.kernel.org/stable/c/cce16fcd7446dcff7480cd9d2b6417075ed81065 •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2025-38672 – Revert "drm/gem-dma: Use dma_buf from GEM object instance"
https://notcve.org/view.php?id=CVE-2025-38672
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "drm/gem-dma: Use dma_buf from GEM object instance" This reverts commit e8afa1557f4f963c9a511bd2c6074a941c308685. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers") ... • https://git.kernel.org/stable/c/e8afa1557f4f963c9a511bd2c6074a941c308685 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-38671 – i2c: qup: jump out of the loop in case of timeout
https://notcve.org/view.php?id=CVE-2025-38671
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: i2c: qup: jump out of the loop in case of timeout Original logic only sets the return value but doesn't jump out of the loop if the bus is kept active by a client. This is not expected. A malicious or buggy i2c client can hang the kernel in this case and should be avoided. This is observed during a long time test with a PCA953x GPIO extender. Fix it by changing the logic to not only sets the return value, but also jumps out of the loop and ... • https://git.kernel.org/stable/c/fbfab1ab065879370541caf0e514987368eb41b2 •
CVSS: 7.1EPSS: %CPEs: 7EXPL: 0CVE-2025-38670 – arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
https://notcve.org/view.php?id=CVE-2025-38670
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors or Debug Exceptions which, though unlikely, is very much broken : if interrupted, we can end up with mismatched stacks and Shadow Call Stack le... • https://git.kernel.org/stable/c/59b37fe52f49955791a460752c37145f1afdcad1 •
CVSS: 8.4EPSS: %CPEs: 2EXPL: 0CVE-2025-38669 – Revert "drm/gem-shmem: Use dma_buf from GEM object instance"
https://notcve.org/view.php?id=CVE-2025-38669
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "drm/gem-shmem: Use dma_buf from GEM object instance" This reverts commit 1a148af06000e545e714fe3210af3d77ff903c11. The dma_buf field in struct drm_gem_object is not stable over the object instance's lifetime. The field becomes NULL when user space releases the final GEM handle on the buffer object. This resulted in a NULL-pointer deref. Workarounds in commit 5307dce878d4 ("drm/gem: Acquire references on GEM handles for framebuffers"... • https://git.kernel.org/stable/c/1a148af06000e545e714fe3210af3d77ff903c11 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-38668 – regulator: core: fix NULL dereference on unbind due to stale coupling data
https://notcve.org/view.php?id=CVE-2025-38668
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix NULL dereference on unbind due to stale coupling data Failing to reset coupling_desc.n_coupled after freeing coupled_rdevs can lead to NULL pointer dereference when regulators are accessed post-unbind. This can happen during runtime PM or other regulator operations that rely on coupling metadata. For example, on ridesx4, unbinding the 'reg-dummy' platform device triggers a panic in regulator_lock_recursive() due to stal... • https://git.kernel.org/stable/c/800a2cfb2df7f96b3fb48910fc595e0215f6b019 •
CVSS: 7.8EPSS: %CPEs: 2EXPL: 0CVE-2025-38667 – iio: fix potential out-of-bound write
https://notcve.org/view.php?id=CVE-2025-38667
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: fix potential out-of-bound write The buffer is set to 20 characters. If a caller write more characters, count is truncated to the max available space in "simple_write_to_buffer". To protect from OoB access, check that the input size fit into buffer and add a zero terminator after copy to the end of the copied data. In the Linux kernel, the following vulnerability has been resolved: iio: fix potential out-of-bound write The buffer is se... • https://git.kernel.org/stable/c/6d5dd486c715908b5a6ed02315a15ff044a91025 •
CVSS: 5.6EPSS: %CPEs: 5EXPL: 0CVE-2025-38666 – net: appletalk: Fix use-after-free in AARP proxy probe
https://notcve.org/view.php?id=CVE-2025-38666
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_time... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •