CVSS: 7.1EPSS: %CPEs: 4EXPL: 0CVE-2025-38500 – xfrm: interface: fix use-after-free after changing collect_md xfrm interface
https://notcve.org/view.php?id=CVE-2025-38500
12 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: xfrm: interface: fix use-after-free after changing collect_md xfrm interface collect_md property on xfrm interfaces can only be set on device creation, thus xfrmi_changelink() should fail when called on such interfaces. The check to enforce this was done only in the case where the xi was returned from xfrmi_locate() which doesn't look for the collect_md interface, and thus the validation was never reached. Calling changelink would thus erro... • https://git.kernel.org/stable/c/abc340b38ba25cd6c7aa2c0bd9150d30738c82d0 •
CVSS: 7.1EPSS: 0%CPEs: 12EXPL: 0CVE-2025-38499 – clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns
https://notcve.org/view.php?id=CVE-2025-38499
11 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns What we want is to verify there is that clone won't expose something hidden by a mount we wouldn't be able to undo. "Wouldn't be able to undo" may be a result of MNT_LOCKED on a child, but it may also come from lacking admin rights in the userns of the namespace mount belongs to. clone_private_mnt() checks the former, but not the latter. There's a number of rat... • https://git.kernel.org/stable/c/427215d85e8d1476da1a86b8d67aceb485eb3631 •
CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 0CVE-2024-58238 – Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test
https://notcve.org/view.php?id=CVE-2024-58238
09 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test This fixes the tx timeout issue seen while running a stress test on btnxpuart for couple of hours, such that the interval between two HCI commands coincide with the power save timeout value of 2 seconds. Test procedure using bash script:
CVSS: 5.6EPSS: 0%CPEs: 1EXPL: 0CVE-2022-50233 – Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name}
https://notcve.org/view.php?id=CVE-2022-50233
09 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name} Both dev_name and short_name are not guaranteed to be NULL terminated so this instead use strnlen and then attempt to determine if the resulting string needs to be truncated or not. In the Linux kernel, the following vulnerability has been resolved: Bluetooth: eir: Fix using strlen with hdev->{dev_name,short_name} Both dev_name and short_name are not guaranteed to be NULL ter... • https://git.kernel.org/stable/c/dd7b8cdde098cf9f7c8de409b5b7bbb98f97be80 •
CVSS: 9.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38498 – do_change_type(): refuse to operate on unmounted/not ours mounts
https://notcve.org/view.php?id=CVE-2025-38498
30 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: do_change_type(): se niega a operar en montajes no montados o que no son nuestros. Garantiza que la configuración de propagación solo se pued... • https://git.kernel.org/stable/c/07b20889e3052c7e77d6a6a54e7e83446eb1ba84 •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38497 – usb: gadget: configfs: Fix OOB read on empty string write
https://notcve.org/view.php?id=CVE-2025-38497
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB read on empty string write When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero. This patch fixes the vulnerability by adding a check at the beginning of os_desc_qw_sign_store() and webusb_landingPage_store() to handle the zero-length input case gracefully by returning imm... • https://git.kernel.org/stable/c/2798111f8e504ac747cce911226135d50b8de468 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38496 – dm-bufio: fix sched in atomic context
https://notcve.org/view.php?id=CVE-2025-38496
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: dm-bufio: fix sched in atomic context If "try_verify_in_tasklet" is set for dm-verity, DM_BUFIO_CLIENT_NO_SLEEP is enabled for dm-bufio. However, when bufio tries to evict buffers, there is a chance to trigger scheduling in spin_lock_bh, the following warning is hit: BUG: sleeping function called from invalid context at drivers/md/dm-bufio.c:2745 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 123, name: kworker/2:2 preempt_count: 20... • https://git.kernel.org/stable/c/450e8dee51aa6fa1dd0f64073e88235f1a77b035 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38495 – HID: core: ensure the allocated report buffer can contain the reserved report ID
https://notcve.org/view.php?id=CVE-2025-38495
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes for implement to be working, we only have 7. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: núcleo: garantizar que el bú... • https://git.kernel.org/stable/c/d3ed1d84a84538a39b3eb2055d6a97a936c108f2 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38494 – HID: core: do not bypass hid_hw_raw_request
https://notcve.org/view.php?id=CVE-2025-38494
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: HID: núcleo: no omitir hid_hw_raw_request. hid_hw_raw_request() es útil para garantizar la validez del búfer y la longitud... • https://git.kernel.org/stable/c/a62a895edb2bfebffa865b5129a66e3b4287f34f •
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38493 – tracing/osnoise: Fix crash in timerlat_dump_stack()
https://notcve.org/view.php?id=CVE-2025-38493
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix crash in timerlat_dump_stack() We have observed kernel panics when using timerlat with stack saving, with the following dmesg output: memcpy: detected buffer overflow: 88 byte write of buffer size 0 WARNING: CPU: 2 PID: 8153 at lib/string_helpers.c:1032 __fortify_report+0x55/0xa0 CPU: 2 UID: 0 PID: 8153 Comm: timerlatu/2 Kdump: loaded Not tainted 6.15.3-200.fc42.x86_64 #1 PREEMPT(lazy) Call Trace: