CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21892 – RDMA/mlx5: Fix the recovery flow of the UMR QP
https://notcve.org/view.php?id=CVE-2025-21892
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix the recovery flow of the UMR QP This patch addresses an issue in the recovery flow of the UMR QP, ensuring tasks do not get stuck, as highlighted by the call trace [1]. During recovery, before transitioning the QP to the RESET state, the software must wait for all outstanding WRs to complete. Failing to do so can cause the firmware to skip sending some flushed CQEs with errors and simply discard them upon the RESET, as per th... • https://git.kernel.org/stable/c/158e71bb69e368b8b33e8b7c4ac8c111da0c1ae2 •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21891 – ipvlan: ensure network headers are in skb linear part
https://notcve.org/view.php?id=CVE-2025-21891
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: ipvlan: ensure network headers are in skb linear part syzbot found that ipvlan_process_v6_outbound() was assuming the IPv6 network header isis present in skb->head [1] Add the needed pskb_network_may_pull() calls for both IPv4 and IPv6 handlers. [1] BUG: KMSAN: uninit-value in __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 __ipv6_addr_type+0xa2/0x490 net/ipv6/addrconf_core.c:47 ipv6_addr_type include/net/ipv6.h:555 [inline] ip6_rou... • https://git.kernel.org/stable/c/2ad7bf3638411cb547f2823df08166c13ab04269 •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21890 – idpf: fix checksums set in idpf_rx_rsc()
https://notcve.org/view.php?id=CVE-2025-21890
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: idpf: fix checksums set in idpf_rx_rsc() idpf_rx_rsc() uses skb_transport_offset(skb) while the transport header is not set yet. This triggers the following warning for CONFIG_DEBUG_NET=y builds. DEBUG_NET_WARN_ON_ONCE(!skb_transport_header_was_set(skb)) [ 69.261620] WARNING: CPU: 7 PID: 0 at ./include/linux/skbuff.h:3020 idpf_vport_splitq_napi_poll (include/linux/skbuff.h:3020) idpf [ 69.261629] Modules linked in: vfat fat dummy bridge int... • https://git.kernel.org/stable/c/3a8845af66edb340ba9210bb8a0da040c7d6e590 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21889 – perf/core: Add RCU read lock protection to perf_iterate_ctx()
https://notcve.org/view.php?id=CVE-2025-21889
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: perf/core: Add RCU read lock protection to perf_iterate_ctx() The perf_iterate_ctx() function performs RCU list traversal but currently lacks RCU read lock protection. This causes lockdep warnings when running perf probe with unshare(1) under CONFIG_PROVE_RCU_LIST=y: WARNING: suspicious RCU usage kernel/events/core.c:8168 RCU-list traversed in non-reader section!! Call Trace: lockdep_rcu_suspicious ? perf_event_addr_filters_apply perf_itera... • https://git.kernel.org/stable/c/bd27568117664b8b3e259721393df420ed51f57b •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21888 – RDMA/mlx5: Fix a WARN during dereg_mr for DM type
https://notcve.org/view.php?id=CVE-2025-21888
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix a WARN during dereg_mr for DM type Memory regions (MR) of type DM (device memory) do not have an associated umem. In the __mlx5_ib_dereg_mr() -> mlx5_free_priv_descs() flow, the code incorrectly takes the wrong branch, attempting to call dma_unmap_single() on a DMA address that is not mapped. This results in a WARN [1], as shown below. The issue is resolved by properly accounting for the DM type and ensuring the correct branc... • https://git.kernel.org/stable/c/f18ec422311767738ef4033b61e91cae07163b22 •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-21887 – ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up
https://notcve.org/view.php?id=CVE-2025-21887
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/over... • https://git.kernel.org/stable/c/62f29ca45f832e281fc14966ac25f6ff3bd121ca • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21885 – RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers
https://notcve.org/view.php?id=CVE-2025-21885
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix the page details for the srq created by kernel consumers While using nvme target with use_srq on, below kernel panic is noticed. [ 549.698111] bnxt_en 0000:41:00.0 enp65s0np0: FEC autoneg off encoding: Clause 91 RS(544,514) [ 566.393619] Oops: divide error: 0000 [#1] PREEMPT SMP NOPTI .. [ 566.393799]
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-21884 – net: better track kernel sockets lifetime
https://notcve.org/view.php?id=CVE-2025-21884
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: net: better track kernel sockets lifetime While kernel sockets are dismantled during pernet_operations->exit(), their freeing can be delayed by any tx packets still held in qdisc or device queues, due to skb_set_owner_w() prior calls. This then trigger the following warning from ref_tracker_dir_exit() [1] To fix this, make sure that kernel sockets own a reference on net->passive. Add sk_net_refcnt_upgrade() helper, used whenever a kernel so... • https://git.kernel.org/stable/c/0cafd77dcd032d1687efaba5598cf07bce85997f •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21883 – ice: Fix deinitializing VF in error path
https://notcve.org/view.php?id=CVE-2025-21883
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: Fix deinitializing VF in error path If ice_ena_vfs() fails after calling ice_create_vf_entries(), it frees all VFs without removing them from snapshot PF-VF mailbox list, leading to list corruption. Reproducer: devlink dev eswitch set $PF1_PCI mode switchdev ip l s $PF1 up ip l s $PF1 promisc on sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs sleep 1 echo 1 > /sys/class/net/$PF1/device/sriov_numvfs Trace (minimized): list_add ... • https://git.kernel.org/stable/c/8cd8a6b17d275a45e3722d0215f6115b687c8c3e •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21881 – uprobes: Reject the shared zeropage in uprobe_write_opcode()
https://notcve.org/view.php?id=CVE-2025-21881
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: uprobes: Reject the shared zeropage in uprobe_write_opcode() We triggered the following crash in syzkaller tests: BUG: Bad page state in process syz.7.38 pfn:1eff3 page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1eff3 flags: 0x3fffff00004004(referenced|reserved|node=0|zone=1|lastcpupid=0x1fffff) raw: 003fffff00004004 ffffe6c6c07bfcc8 ffffe6c6c07bfcc8 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffff... • https://git.kernel.org/stable/c/2b144498350860b6ee9dc57ff27a93ad488de5dc •