
CVE-2025-37992 – net_sched: Flush gso_skb list too during ->change()
https://notcve.org/view.php?id=CVE-2025-37992
26 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed... • https://git.kernel.org/stable/c/76e3cc126bb223013a6b9a0e2a51238d1ef2e409 •

CVE-2020-36791 – net_sched: keep alloc_hash updated after hash allocation
https://notcve.org/view.php?id=CVE-2020-36791
07 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: keep alloc_hash updated after hash allocation In commit 599be01ee567 ("net_sched: fix an OOB access in cls_tcindex") I moved cp->hash calculation before the first tcindex_alloc_perfect_hash(), but cp->alloc_hash is left untouched. This difference could lead to another out of bound access. cp->alloc_hash should always be the size allocated, we should update it after this tcindex_alloc_perfect_hash(). In the Linux kernel, the follo... • https://git.kernel.org/stable/c/73c29d2f6f8ae731b1e09051b69ed3ba2319482b •

CVE-2022-21546 – scsi: target: Fix WRITE_SAME No Data Buffer crash
https://notcve.org/view.php?id=CVE-2022-21546
02 May 2025 — In newer version of the SBC specs, we have a NDOB bit that indicates there is no data buffer that gets written out. If this bit is set using commands like "sg_write_same --ndob" we will crash in target_core_iblock/file's execute_write_same handlers when we go to access the se_cmd->t_data_sg because its NULL. CVSS 3.1 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix WRITE_S... • https://git.kernel.org/stable/c/4226622647e3e5ac06d3ebc1605b917446157510 • CWE-476: NULL Pointer Dereference •

CVE-2022-49908 – Bluetooth: L2CAP: Fix memory leak in vhci_write
https://notcve.org/view.php?id=CVE-2022-49908
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix memory leak in vhci_write Syzkaller reports a memory leak as follows: ==================================== BUG: memory leak unreferenced object 0xffff88810d81ac00 (size 240): [...] hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [

CVE-2022-49902 – block: Fix possible memory leak for rq_wb on add_disk failure
https://notcve.org/view.php?id=CVE-2022-49902
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: block: Fix possible memory leak for rq_wb on add_disk failure kmemleak reported memory leaks in device_add_disk(): kmemleak: 3 new suspected memory leaks unreferenced object 0xffff88800f420800 (size 512): comm "modprobe", pid 4275, jiffies 4295639067 (age 223.512s) hex dump (first 32 bytes): 04 00 00 00 08 00 00 00 01 00 00 00 00 00 00 00 ................ 00 e1 f5 05 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000... • https://git.kernel.org/stable/c/83cbce9574462c6b4eed6797bdaf18fae6859ab3 • CWE-401: Missing Release of Memory after Effective Lifetime •

CVE-2022-49860 – dmaengine: ti: k3-udma-glue: fix memory leak when register device fail
https://notcve.org/view.php?id=CVE-2022-49860
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma-glue: fix memory leak when register device fail If device_register() fails, it should call put_device() to give up reference, the name allocated in dev_set_name() can be freed in callback function kobject_cleanup(). In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma-glue: fix memory leak when register device fail If device_register() fails, it should call put_device() to give up... • https://git.kernel.org/stable/c/5b65781d06ea90ef2f8e51a13352c43c3daa8cdc • CWE-401: Missing Release of Memory after Effective Lifetime •

CVE-2022-49853 – net: macvlan: fix memory leaks of macvlan_common_newlink
https://notcve.org/view.php?id=CVE-2022-49853
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: macvlan: fix memory leaks of macvlan_common_newlink kmemleak reports memory leaks in macvlan_common_newlink, as follows: ip link add link eth0 name .. type macvlan mode source macaddr add

CVE-2020-36790 – nvmet: fix a memory leak
https://notcve.org/view.php?id=CVE-2020-36790
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: nvmet: fix a memory leak We forgot to free new_model_number • https://git.kernel.org/stable/c/013b7ebe5a0d70e2a02fd225174595e79c591b3e •

CVE-2025-37749 – net: ppp: Add bound checking for skb data on ppp_sync_txmung
https://notcve.org/view.php?id=CVE-2025-37749
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ppp: Add bound checking for skb data on ppp_sync_txmung Ensure we have enough data in linear buffer from skb before accessing initial bytes. This prevents potential out-of-bounds accesses when processing short packets. When ppp_sync_txmung receives an incoming package with an empty payload: (remote) gef➤ p *(struct pppoe_hdr *) (skb->head + skb->network_header) $18 = { type = 0x1, ver = 0x1, code = 0x0, sid = 0x2, length = 0x0, tag = 0... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-125: Out-of-bounds Read •

CVE-2020-36789 – can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context
https://notcve.org/view.php?id=CVE-2020-36789
17 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but not always, the case), the 'WARN_ON(in_irq)' in net/core/skbuff.c#skb_release_head_state() might be triggered, under network congestion circumstances, together with the potential risk of a NULL pointer dereference. The root cause of this issue is the call to kfree_skb() instead of dev_... • https://git.kernel.org/stable/c/39549eef3587f1c1e8c65c88a2400d10fd30ea17 •