CVSS: 5.6EPSS: %CPEs: 4EXPL: 0CVE-2025-38675 – xfrm: state: initialize state_ptrs earlier in xfrm_state_find
https://notcve.org/view.php?id=CVE-2025-38675
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: xfrm: state: initialize state_ptrs earlier in xfrm_state_find In case of preemption, xfrm_state_look_at will find a different pcpu_id and look up states for that other CPU. If we matched a state for CPU2 in the state_cache while the lookup started on CPU1, we will jump to "found", but the "best" state that we got will be ignored and we will enter the "acquire" block. This block uses state_ptrs, which isn't initialized at this point. Let's i... • https://git.kernel.org/stable/c/a16871c7832ea6435abb6e0b58289ae7dcb7e4fc •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-38671 – i2c: qup: jump out of the loop in case of timeout
https://notcve.org/view.php?id=CVE-2025-38671
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: i2c: qup: jump out of the loop in case of timeout Original logic only sets the return value but doesn't jump out of the loop if the bus is kept active by a client. This is not expected. A malicious or buggy i2c client can hang the kernel in this case and should be avoided. This is observed during a long time test with a PCA953x GPIO extender. Fix it by changing the logic to not only sets the return value, but also jumps out of the loop and ... • https://git.kernel.org/stable/c/fbfab1ab065879370541caf0e514987368eb41b2 •
CVSS: 7.1EPSS: %CPEs: 7EXPL: 0CVE-2025-38670 – arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack()
https://notcve.org/view.php?id=CVE-2025-38670
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() `cpu_switch_to()` and `call_on_irq_stack()` manipulate SP to change to different stacks along with the Shadow Call Stack if it is enabled. Those two stack changes cannot be done atomically and both functions can be interrupted by SErrors or Debug Exceptions which, though unlikely, is very much broken : if interrupted, we can end up with mismatched stacks and Shadow Call Stack le... • https://git.kernel.org/stable/c/59b37fe52f49955791a460752c37145f1afdcad1 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-38668 – regulator: core: fix NULL dereference on unbind due to stale coupling data
https://notcve.org/view.php?id=CVE-2025-38668
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix NULL dereference on unbind due to stale coupling data Failing to reset coupling_desc.n_coupled after freeing coupled_rdevs can lead to NULL pointer dereference when regulators are accessed post-unbind. This can happen during runtime PM or other regulator operations that rely on coupling metadata. For example, on ridesx4, unbinding the 'reg-dummy' platform device triggers a panic in regulator_lock_recursive() due to stal... • https://git.kernel.org/stable/c/800a2cfb2df7f96b3fb48910fc595e0215f6b019 •
CVSS: 5.6EPSS: %CPEs: 5EXPL: 0CVE-2025-38666 – net: appletalk: Fix use-after-free in AARP proxy probe
https://notcve.org/view.php?id=CVE-2025-38666
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: net: appletalk: Fix use-after-free in AARP proxy probe The AARP proxy‐probe routine (aarp_proxy_probe_network) sends a probe, releases the aarp_lock, sleeps, then re-acquires the lock. During that window an expire timer thread (__aarp_expire_timer) can remove and kfree() the same entry, leading to a use-after-free. race condition: cpu 0 | cpu 1 atalk_sendmsg() | atif_proxy_probe_device() aarp_send_ddp() | aarp_proxy_probe_network() mod_time... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-38665 – can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode
https://notcve.org/view.php?id=CVE-2025-38665
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode Andrei Lalaev reported a NULL pointer deref when a CAN device is restarted from Bus Off and the driver does not implement the struct can_priv::do_set_mode callback. There are 2 code path that call struct can_priv::do_set_mode: - directly by a manual restart from the user space, via can_changelink() - delayed automatic restart after bus off (deactivated by... • https://git.kernel.org/stable/c/39549eef3587f1c1e8c65c88a2400d10fd30ea17 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-38664 – ice: Fix a null pointer dereference in ice_copy_and_init_pkg()
https://notcve.org/view.php?id=CVE-2025-38664
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Add check for the return value of devm_kmemdup() to prevent potential null pointer dereference. In the Linux kernel, the following vulnerability has been resolved: ice: Fix a null pointer dereference in ice_copy_and_init_pkg() Add check for the return value of devm_kmemdup() to prevent potential null pointer dereference. • https://git.kernel.org/stable/c/c7648810961682b9388be2dd041df06915647445 •
CVSS: 7.8EPSS: %CPEs: 5EXPL: 0CVE-2025-38663 – nilfs2: reject invalid file types when reading inodes
https://notcve.org/view.php?id=CVE-2025-38663
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject invalid file types when reading inodes To prevent inodes with invalid file types from tripping through the vfs and causing malfunctions or assertion failures, add a missing sanity check when reading an inode from a block device. If the file type is not valid, treat it as a filesystem error. In the Linux kernel, the following vulnerability has been resolved: nilfs2: reject invalid file types when reading inodes To prevent inod... • https://git.kernel.org/stable/c/05fe58fdc10df9ebea04c0eaed57adc47af5c184 •
CVSS: 7.8EPSS: %CPEs: 3EXPL: 0CVE-2025-38662 – ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv
https://notcve.org/view.php?id=CVE-2025-38662
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv Given mt8365_dai_set_priv allocate priv_size space to copy priv_data which means we should pass mt8365_i2s_priv[i] or "struct mtk_afe_i2s_priv" instead of afe_priv which has the size of "struct mt8365_afe_private". Otherwise the KASAN complains about. [ 59.389765] BUG: KASAN: global-out-of-bounds in mt8365_dai_set_priv+0xc8/0x168 [snd_soc_mt8365_pcm] ... [ 59.394789] C... • https://git.kernel.org/stable/c/402bbb13a195caa83b3279ebecdabfb11ddee084 •
CVSS: 7.1EPSS: %CPEs: 4EXPL: 0CVE-2025-38660 – [ceph] parse_longname(): strrchr() expects NUL-terminated string
https://notcve.org/view.php?id=CVE-2025-38660
22 Aug 2025 — In the Linux kernel, the following vulnerability has been resolved: [ceph] parse_longname(): strrchr() expects NUL-terminated string ... and parse_longname() is not guaranteed that. That's the reason why it uses kmemdup_nul() to build the argument for kstrtou64(); the problem is, kstrtou64() is not the only thing that need it. Just get a NUL-terminated copy of the entire thing and be done with that... In the Linux kernel, the following vulnerability has been resolved: [ceph] parse_longname(): strrchr() expe... • https://git.kernel.org/stable/c/dd66df0053ef84add5e684df517aa9b498342381 •