CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38498 – do_change_type(): refuse to operate on unmounted/not ours mounts
https://notcve.org/view.php?id=CVE-2025-38498
30 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). • https://git.kernel.org/stable/c/07b20889e3052c7e77d6a6a54e7e83446eb1ba84 •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38497 – usb: gadget: configfs: Fix OOB read on empty string write
https://notcve.org/view.php?id=CVE-2025-38497
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB read on empty string write When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero. This patch fixes the vulnerability by adding a check at the beginning of os_desc_qw_sign_store() and webusb_landingPage_store() to handle the zero-length input case gracefully by returning imm... • https://git.kernel.org/stable/c/2798111f8e504ac747cce911226135d50b8de468 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38496 – dm-bufio: fix sched in atomic context
https://notcve.org/view.php?id=CVE-2025-38496
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: dm-bufio: fix sched in atomic context If "try_verify_in_tasklet" is set for dm-verity, DM_BUFIO_CLIENT_NO_SLEEP is enabled for dm-bufio. However, when bufio tries to evict buffers, there is a chance to trigger scheduling in spin_lock_bh, the following warning is hit: BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 123, name: kworker/2:2 preempt_count: 20... • https://git.kernel.org/stable/c/450e8dee51aa6fa1dd0f64073e88235f1a77b035 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38495 – HID: core: ensure the allocated report buffer can contain the reserved report ID
https://notcve.org/view.php?id=CVE-2025-38495
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes for implement to be working, we only have 7. In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated ... • https://git.kernel.org/stable/c/d3ed1d84a84538a39b3eb2055d6a97a936c108f2 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38494 – HID: core: do not bypass hid_hw_raw_request
https://notcve.org/view.php?id=CVE-2025-38494
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and len... • https://git.kernel.org/stable/c/a62a895edb2bfebffa865b5129a66e3b4287f34f •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38491 – mptcp: make fallback action and fallback decision atomic
https://notcve.org/view.php?id=CVE-2025-38491
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following splat: WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 __mptcp_do_fallback net/mptcp/protocol.h:1223 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcp_do_fallback net/mptcp/protocol.h:1244 [inline] WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 check_fully_established net/mptcp/options.c:982 [inline] WARNING: CPU: 1 P... • https://git.kernel.org/stable/c/0530020a7c8f2204e784f0dbdc882bbd961fdbde •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38490 – net: libwx: remove duplicate page_pool_put_full_page()
https://notcve.org/view.php?id=CVE-2025-38490
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net: libwx: remove duplicate page_pool_put_full_page() page_pool_put_full_page() should only be invoked when freeing Rx buffers or building a skb if the size is too short. At other times, the pages need to be reused. So remove the redundant page put. In the original code, double free pages cause kernel panic: [ 876.949834] __irq_exit_rcu+0xc7/0x130 [ 876.949836] common_interrupt+0xb8/0xd0 [ 876.949838] [ 876.949838]
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38488 – smb: client: fix use-after-free in crypt_message when using async crypto
https://notcve.org/view.php?id=CVE-2025-38488
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: smb: client: fix use-after-free in crypt_message when using async crypto The CVE-2024-50047 fix removed asynchronous crypto handling from crypt_message(), assuming all crypto operations are synchronous. However, when hardware crypto accelerators are used, this can cause use-after-free crashes: crypt_message() // Allocate the creq buffer containing the req creq = smb2_get_aead_req(..., &req); // Async encryption returns -EINPROGRESS immediat... • https://git.kernel.org/stable/c/bce966530fd5542bbb422cb45ecb775f7a1a6bc3 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38487 – soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled
https://notcve.org/view.php?id=CVE-2025-38487
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Mitigate e.g. the following: # echo 1e789080.lpc-snoop > /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind ... [ 120.363594] Unable to handle kernel NULL pointer dereference at virtual address 00000004 when write [ 120.373866] [00000004] *pgd=00000000 [ 120.377910] Internal error: Oops: 805 [#1] SMP ARM [ 120.383306] CPU: 1 UID: 0 PID: 315 Comm: sh Not tainted 6.15.0-rc1-000... • https://git.kernel.org/stable/c/9f4f9ae81d0affc182f54dd00285ddb90e0b3ae1 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38485 – iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush
https://notcve.org/view.php?id=CVE-2025-38485
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush fxls8962af_fifo_flush() uses indio_dev->active_scan_mask (with iio_for_each_active_channel()) without making sure the indio_dev stays in buffer mode. There is a race if indio_dev exits buffer mode in the middle of the interrupt that flushes the fifo. Fix this by calling synchronize_irq() to ensure that no interrupt is currently running when disabling buffer mode. Unable to ... • https://git.kernel.org/stable/c/79e3a5bdd9efbdf4e1069793d7735b432d641e7c •