CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22007 – Bluetooth: Fix error code in chan_alloc_skb_cb()
https://notcve.org/view.php?id=CVE-2025-22007
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix error code in chan_alloc_skb_cb() The chan_alloc_skb_cb() function is supposed to return error pointers on error. Returning NULL will lead to a NULL dereference. • https://git.kernel.org/stable/c/6b8d4a6a03144c5996f98db7f8256267b0d72a3a •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22005 – ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw().
https://notcve.org/view.php?id=CVE-2025-22005
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix memleak of nhc_pcpu_rth_output in fib_check_nh_v6_gw(). fib_check_nh_v6_gw() expects that fib6_nh_init() cleans up everything when it fails. Commit 7dd73168e273 ("ipv6: Always allocate pcpu memory in a fib6_nh") moved fib_nh_common_init() before alloc_percpu_gfp() within fib6_nh_init() but forgot to add cleanup for fib6_nh->nh_common.nhc_pcpu_rth_output in case it fails to allocate fib6_nh->rt6i_pcpu, resulting in memleak. Let's c... • https://git.kernel.org/stable/c/7dd73168e273938b9e9bb42ca51b0c27d807992b •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-22004 – net: atm: fix use after free in lec_send()
https://notcve.org/view.php?id=CVE-2025-22004
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: net: atm: fix use after free in lec_send() The ->send() operation frees skb so save the length before calling ->send() to avoid a use after free. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22003 – can: ucan: fix out of bound read in strscpy() source
https://notcve.org/view.php?id=CVE-2025-22003
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: can: ucan: fix out of bound read in strscpy() source Commit 7fdaf8966aae ("can: ucan: use strscpy() to instead of strncpy()") unintentionally introduced a one byte out of bound read on strscpy()'s source argument (which is kind of ironic knowing that strscpy() is meant to be a more secure alternative :)). Let's consider below buffers: dest[len + 1]; /* will be NUL terminated */ src[len]; /* may not be NUL terminated */ When doing: strncpy(d... • https://git.kernel.org/stable/c/7fdaf8966aae476deafe11f9a0067ff588615444 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-22002 – netfs: Call `invalidate_cache` only if implemented
https://notcve.org/view.php?id=CVE-2025-22002
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: netfs: Call `invalidate_cache` only if implemented Many filesystems such as NFS and Ceph do not implement the `invalidate_cache` method. On those filesystems, if writing to the cache (`NETFS_WRITE_TO_CACHE`) fails for some reason, the kernel crashes like this: BUG: kernel NULL pointer dereference, address: 0000000000000000 #PF: supervisor instruction fetch in kernel mode #PF: error_code(0x0010) - not-present page PGD 0 P4D 0 Oops: Oops: 001... • https://git.kernel.org/stable/c/0e0f2dfe880fb19e4b15a7ca468623eb0b4ba586 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2025-22001 – accel/qaic: Fix integer overflow in qaic_validate_req()
https://notcve.org/view.php?id=CVE-2025-22001
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user via qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that the math doesn't have an integer wrapping bug. • https://git.kernel.org/stable/c/ff13be8303336ead5621712f2c55012d738878b5 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-22000 – mm/huge_memory: drop beyond-EOF folios with the right number of refs
https://notcve.org/view.php?id=CVE-2025-22000
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: drop beyond-EOF folios with the right number of refs When an after-split folio is large and needs to be dropped due to EOF, folio_put_refs(folio, folio_nr_pages(folio)) should be used to drop all page cache refs. Otherwise, the folio will not be freed, causing memory leak. This leak would happen on a filesystem with blocksize > page_size and a truncate is performed, where the blocksize makes folios split to >0 order ones, ca... • https://git.kernel.org/stable/c/c010d47f107f609b9f4d6a103b6dfc53889049e9 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21999 – proc: fix UAF in proc_get_inode()
https://notcve.org/view.php?id=CVE-2025-21999
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: proc: fix UAF in proc_get_inode() Fix race between rmmod and /proc/XXX's inode instantiation. The bug is that pde->proc_ops don't belong to /proc, it belongs to a module, therefore dereferencing it after /proc entry has been registered is a bug unless use_pde/unuse_pde() pair has been used. use_pde/unuse_pde can be avoided (2 atomic ops!) because pde->proc_ops never changes so information necessary for inode instantiation can be saved _befo... • https://git.kernel.org/stable/c/778f3dd5a13c9e1642e0b2efea4b769387a70afa • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2025-21998 – firmware: qcom: uefisecapp: fix efivars registration race
https://notcve.org/view.php?id=CVE-2025-21998
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: uefisecapp: fix efivars registration race Since the conversion to using the TZ allocator, the efivars service is registered before the memory pool has been allocated, something which can lead to a NULL-pointer dereference in case of a racing EFI variable access. Make sure that all resources have been set up before registering the efivars. • https://git.kernel.org/stable/c/6612103ec35af6058bb85ab24dae28e119b3c055 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2025-21997 – xsk: fix an integer overflow in xp_create_and_assign_umem()
https://notcve.org/view.php?id=CVE-2025-21997
03 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: xsk: fix an integer overflow in xp_create_and_assign_umem() Since the i and pool->chunk_size variables are of type 'u32', their product can wrap around and then be cast to 'u64'. This can lead to two different XDP buffers pointing to the same memory area. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with SVACE. • https://git.kernel.org/stable/c/94033cd8e73b8632bab7c8b7bb54caa4f5616db7 •