CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40208 – media: iris: fix module removal if firmware download failed
https://notcve.org/view.php?id=CVE-2025-40208
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: media: iris: fix module removal if firmware download failed Fix remove if firmware failed to load: qcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2 qcom-iris aa00000.video-codec: firmware download failed qcom-iris aa00000.video-codec: core init failed then: $ echo aa00000.video-codec > /sys/bus/platform/drivers/qcom-iris/unbind Triggers: genpd genpd:1:aa00000.video-codec: Runtime PM usage co... • https://git.kernel.org/stable/c/d7378f84e94e14998b3469dcc0d8ce609d049ccc •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40207 – media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try()
https://notcve.org/view.php?id=CVE-2025-40207
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc(), but does not check the returned value. If __v4l2_subdev_state_alloc fails, it returns an ERR_PTR, and that would cause v4l2_subdev_call_state_try() to crash. Add proper error handling to v4l2_subdev_call_state_try(). In the Linux kernel, the following vulnerability has been... • https://git.kernel.org/stable/c/982c0487185bd466059ff618f398a8d074ddb654 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40206 – netfilter: nft_objref: validate objref and objrefmap expressions
https://notcve.org/view.php?id=CVE-2025-40206
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_objref: validate objref and objrefmap expressions Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls: BUG: TASK stack guard page was hit at 000000008bda5b8c (stack is 000000003ab1c4a5..00000000494d8b12) [...] Call Trace: __find_rr_leaf+0x99/0x230 fib6_table_lookup+0x13b/0x2d0 ip6_pol_route+0xa4/0x400 fib6_rule_lookup+0x156/0x240 ip6_route_output_flags+0xc6/0x150 __nf_ip... • https://git.kernel.org/stable/c/ee394f96ad7517fbc0de9106dcc7ce9efb14f264 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40205 – btrfs: avoid potential out-of-bounds in btrfs_encode_fh()
https://notcve.org/view.php?id=CVE-2025-40205
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only returns to the user BTRFS_FID_SIZE_NON_CONNECTABLE (5 dwords, 20 bytes) or BTRFS_FID_SIZE_CONNECTABLE (8 dwords, 32 bytes). However, when a parent exists and the root ID of the parent and the inode are different, the function writes BTRFS_... • https://git.kernel.org/stable/c/be6e8dc0ba84029997075a1ec77b4ddb863cbe15 •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40204 – sctp: Fix MAC comparison to be constant-time
https://notcve.org/view.php?id=CVE-2025-40204
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40203 – listmount: don't call path_put() under namespace semaphore
https://notcve.org/view.php?id=CVE-2025-40203
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're fscked. In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're ... • https://git.kernel.org/stable/c/b4c2bea8ceaa50cd42a8f73667389d801a3ecf2d •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40202 – ipmi: Rework user message limit handling
https://notcve.org/view.php?id=CVE-2025-40202
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: ipmi: Rework user message limit handling The limit on the number of user messages had a number of issues, improper counting in some cases and a use after free. Restructure how this is all done to handle more in the receive message allocation routine, so all refcouting and user message limit counts are done in that routine. It's a lot cleaner and safer. In the Linux kernel, the following vulnerability has been resolved: ipmi: Rework user mes... • https://git.kernel.org/stable/c/8e76741c3d8b20dfa2d6c30fa10ff927cfd93d82 •
CVSS: 6.2EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40201 – kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths
https://notcve.org/view.php?id=CVE-2025-40201
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: kernel/sys.c: fix the racy usage of task_lock(tsk->group_leader) in sys_prlimit64() paths The usage of task_lock(tsk->group_leader) in sys_prlimit64()->do_prlimit() path is very broken. sys_prlimit64() does get_task_struct(tsk) but this only protects task_struct itself. If tsk != current and tsk is not a leader, this process can exit/exec and task_lock(tsk->group_leader) may use the already freed task_struct. Another problem is that sys_prl... • https://git.kernel.org/stable/c/18c91bb2d87268d23868bf13508f5bc9cf04e89a •
CVSS: 6.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40200 – Squashfs: reject negative file sizes in squashfs_read_inode()
https://notcve.org/view.php?id=CVE-2025-40200
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: Squashfs: reject negative file sizes in squashfs_read_inode() Syskaller reports a "WARNING in ovl_copy_up_file" in overlayfs. This warning is ultimately caused because the underlying Squashfs file system returns a file with a negative file size. This commit checks for a negative file size and returns EINVAL. [phillip@squashfs.org.uk: only need to check 64 bit quantity] In the Linux kernel, the following vulnerability has been resolved: Squa... • https://git.kernel.org/stable/c/6545b246a2c815a8fcd07d58240effb6ec3481b1 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40199 – page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches
https://notcve.org/view.php?id=CVE-2025-40199
12 Nov 2025 — In the Linux kernel, the following vulnerability has been resolved: page_pool: Fix PP_MAGIC_MASK to avoid crashing on some 32-bit arches Helge reported that the introduction of PP_MAGIC_MASK let to crashes on boot on his 32-bit parisc machine. The cause of this is the mask is set too wide, so the page_pool_page_is_pp() incurs false positives which crashes the machine. Just disabling the check in page_pool_is_pp() will lead to the page_pool code itself malfunctioning; so instead of doing this, this patch cha... • https://git.kernel.org/stable/c/4f51fb0d257ff4d406ec27966902de075e3b118e •