
CVE-2025-37999 – fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio()
https://notcve.org/view.php?id=CVE-2025-37999
29 May 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/erofs/fileio: call erofs_onlinefolio_split() after bio_add_folio() If bio_add_folio() fails (because it is full), erofs_fileio_scan_folio() needs to submit the I/O request via erofs_fileio_rq_submit() and allocate a new I/O request with an empty `struct bio`. Then it retries the bio_add_folio() call. However, at this point, erofs_onlinefolio_split() has already been called which increments `folio->private`; the retry will call erofs_onli... • https://git.kernel.org/stable/c/ce63cb62d794c98c7631c2296fa845f2a8d0a4a1 •

CVE-2025-37998 – openvswitch: Fix unsafe attribute parsing in output_userspace()
https://notcve.org/view.php?id=CVE-2025-37998
29 May 2025 — In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in output_userspace() This patch replaces the manual Netlink attribute iteration in output_userspace() with nla_for_each_nested(), which ensures that only well-formed attributes are processed. • https://git.kernel.org/stable/c/ccb1352e76cff0524e7ccb2074826a092dd13016 •

CVE-2025-37997 – netfilter: ipset: fix region locking in hash types
https://notcve.org/view.php?id=CVE-2025-37997
29 May 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: fix region locking in hash types Region locking introduced in v5.6-rc4 contained three macros to handle the region locks: ahash_bucket_start(), ahash_bucket_end() which gave back the start and end hash bucket values belonging to a given region lock and ahash_region() which should give back the region lock belonging to a given hash bucket. The latter was incorrect which can lead to a race condition between the garbage colle... • https://git.kernel.org/stable/c/f66ee0410b1c3481ee75e5db9b34547b4d582465 •

CVE-2025-37996 – KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort()
https://notcve.org/view.php?id=CVE-2025-37996
29 May 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix uninitialized memcache pointer in user_mem_abort() Commit fce886a60207 ("KVM: arm64: Plumb the pKVM MMU in KVM") made the initialization of the local memcache variable in user_mem_abort() conditional, leaving a codepath where it is used uninitialized via kvm_pgtable_stage2_map(). This can fail on any path that requires a stage-2 allocation without transition via a permission fault or dirty logging. Fix this by making sure th... • https://git.kernel.org/stable/c/fce886a6020734d6253c2c5a3bc285e385cc5496 •

CVE-2025-37995 – module: ensure that kobject_put() is safe for module type kobjects
https://notcve.org/view.php?id=CVE-2025-37995
29 May 2025 — In the Linux kernel, the following vulnerability has been resolved: module: ensure that kobject_put() is safe for module type kobjects In 'lookup_or_create_module_kobject()', an internal kobject is created using 'module_ktype'. So call to 'kobject_put()' on error handling path causes an attempt to use an uninitialized completion pointer in 'module_kobject_release()'. In this scenario, we just want to release kobject without an extra synchronization required for a regular module unloading process, so adding ... • https://git.kernel.org/stable/c/942e443127e928a5631c3d5102aca8c8b3c2dd98 •

CVE-2025-37994 – usb: typec: ucsi: displayport: Fix NULL pointer access
https://notcve.org/view.php?id=CVE-2025-37994
29 May 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: displayport: Fix NULL pointer access This patch ensures that the UCSI driver waits for all pending tasks in the ucsi_displayport_work workqueue to finish executing before proceeding with the partner removal. • https://git.kernel.org/stable/c/af8622f6a585d8d82b11cd7987e082861fd0edd3 •

CVE-2025-37993 – can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe
https://notcve.org/view.php?id=CVE-2025-37993
29 May 2025 — In the Linux kernel, the following vulnerability has been resolved: can: m_can: m_can_class_allocate_dev(): initialize spin lock on device probe The spin lock tx_handling_spinlock in struct m_can_classdev is not being initialized. This leads the following spinlock bad magic complaint from the kernel, eg. when trying to send CAN frames with cansend from can-utils: | BUG: spinlock bad magic on CPU#0, cansend/95 | lock: 0xff60000002ec1010, .magic: 00000000, .owner:

CVE-2025-37992 – net_sched: Flush gso_skb list too during ->change()
https://notcve.org/view.php?id=CVE-2025-37992
26 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net_sched: Flush gso_skb list too during ->change() Previously, when reducing a qdisc's limit via the ->change() operation, only the main skb queue was trimmed, potentially leaving packets in the gso_skb list. This could result in NULL pointer dereference when we only check sch->limit against sch->q.qlen. This patch introduces a new helper, qdisc_dequeue_internal(), which ensures both the gso_skb list and the main queue are properly flushed... • https://git.kernel.org/stable/c/76e3cc126bb223013a6b9a0e2a51238d1ef2e409 •

CVE-2025-37991 – parisc: Fix double SIGFPE crash
https://notcve.org/view.php?id=CVE-2025-37991
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: parisc: Fix double SIGFPE crash Camm noticed that on parisc a SIGFPE exception will crash an application with a second SIGFPE in the signal handler. Dave analyzed it, and it happens because glibc uses a double-word floating-point store to atomically update function descriptors. As a result of lazy binding, we hit a floating-point store in fpe_func almost immediately. When the T bit is set, an assist exception trap occurs when when the co-pr... • https://git.kernel.org/stable/c/ec4584495868bd465fe60a3f771915c0e7ce7951 •

CVE-2025-37990 – wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage()
https://notcve.org/view.php?id=CVE-2025-37990
20 May 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() The function brcmf_usb_dl_writeimage() calls the function brcmf_usb_dl_cmd() but dose not check its return value. The 'state.state' and the 'state.bytes' are uninitialized if the function brcmf_usb_dl_cmd() fails. It is dangerous to use uninitialized variables in the conditions. Add error handling for brcmf_usb_dl_cmd() to jump to error handling path if the brcmf_usb_dl... • https://git.kernel.org/stable/c/71bb244ba2fd5390eefe4ee9054abdb3f8b05922 •