
CVE-2022-21546 – scsi: target: Fix WRITE_SAME No Data Buffer crash
https://notcve.org/view.php?id=CVE-2022-21546
02 May 2025 — In newer version of the SBC specs, we have a NDOB bit that indicates there is no data buffer that gets written out. If this bit is set using commands like "sg_write_same --ndob" we will crash in target_core_iblock/file's execute_write_same handlers when we go to access the se_cmd->t_data_sg because its NULL. CVSS 3.1 Base Score 7.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H). In the Linux kernel, the following vulnerability has been resolved: scsi: target: Fix WRITE_S... • https://git.kernel.org/stable/c/4226622647e3e5ac06d3ebc1605b917446157510 • CWE-476: NULL Pointer Dereference •

CVE-2025-37749 – net: ppp: Add bound checking for skb data on ppp_sync_txmung
https://notcve.org/view.php?id=CVE-2025-37749
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ppp: Add bound checking for skb data on ppp_sync_txmung Ensure we have enough data in linear buffer from skb before accessing initial bytes. This prevents potential out-of-bounds accesses when processing short packets. When ppp_sync_txmung receives an incoming package with an empty payload: (remote) gef➤ p *(struct pppoe_hdr *) (skb->head + skb->network_header) $18 = { type = 0x1, ver = 0x1, code = 0x0, sid = 0x2, length = 0x0, tag = 0... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-125: Out-of-bounds Read •

CVE-2025-21993 – iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic()
https://notcve.org/view.php?id=CVE-2025-21993
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: iscsi_ibft: Fix UBSAN shift-out-of-bounds warning in ibft_attr_show_nic() When performing an iSCSI boot using IPv6, iscsistart still reads the /sys/firmware/ibft/ethernetX/subnet-mask entry. Since the IPv6 prefix length is 64, this causes the shift exponent to become negative, triggering a UBSAN warning. As the concept of a subnet mask does not apply to IPv6, the value is set to ~0 to suppress the warning message. In the Linux kernel, the f... • https://git.kernel.org/stable/c/a858cd58dea06cf85b142673deea8c5d87f11e70 • CWE-125: Out-of-bounds Read •

CVE-2025-21992 – HID: ignore non-functional sensor in HP 5MP Camera
https://notcve.org/view.php?id=CVE-2025-21992
02 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: ignore non-functional sensor in HP 5MP Camera The HP 5MP Camera (USB ID 0408:5473) reports a HID sensor interface that is not actually implemented. Attempting to access this non-functional sensor via iio_info causes system hangs as runtime PM tries to wake up an unresponsive sensor. [453] hid-sensor-hub 0003:0408:5473.0003: Report latency attributes: ffffffff:ffffffff [453] hid-sensor-hub 0003:0408:5473.0003: common attributes: 5:1, 2:... • https://git.kernel.org/stable/c/9af297aea8f76a0ad21f2de5f2cd6401a748b9c3 •

CVE-2025-21925 – llc: do not use skb_get() before dev_queue_xmit()
https://notcve.org/view.php?id=CVE-2025-21925
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: llc: do not use skb_get() before dev_queue_xmit() syzbot is able to crash hosts [1], using llc and devices not supporting IFF_TX_SKB_SHARING. In this case, e1000 driver calls eth_skb_pad(), while the skb is shared. Simply replace skb_get() by skb_clone() in net/llc/llc_s_ac.c Note that e1000 driver might have an issue with pktgen, because it does not clear IFF_TX_SKB_SHARING, this is an orthogonal change. We need to audit other skb_get() us... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •

CVE-2025-21922 – ppp: Fix KMSAN uninit-value warning with bpf
https://notcve.org/view.php?id=CVE-2025-21922
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: ppp: Fix KMSAN uninit-value warning with bpf Syzbot caught an "KMSAN: uninit-value" warning [1], which is caused by the ppp driver not initializing a 2-byte header when using socket filter. The following code can generate a PPP filter BPF program: ''' struct bpf_program fp; pcap_t *handle; handle = pcap_open_dead(DLT_PPP_PPPD, 65535); pcap_compile(handle, &fp, "ip and outbound", 0, 0); bpf_dump(&fp, 1); ''' Its output is: ''' (000) ldh [2] ... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •

CVE-2025-21910 – wifi: cfg80211: regulatory: improve invalid hints checking
https://notcve.org/view.php?id=CVE-2025-21910
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: regulatory: improve invalid hints checking Syzbot keeps reporting an issue [1] that occurs when erroneous symbols sent from userspace get through into user_alpha2[] via regulatory_hint_user() call. Such invalid regulatory hints should be rejected. While a sanity check from commit 47caf685a685 ("cfg80211: regulatory: reject invalid hints") looks to be enough to deter these very cases, there is a way to get around it due to 2 ... • https://git.kernel.org/stable/c/09d989d179d0c679043556dda77c51b41a2dae7e •

CVE-2025-21909 – wifi: nl80211: reject cooked mode if it is set along with other flags
https://notcve.org/view.php?id=CVE-2025-21909
01 Apr 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: reject cooked mode if it is set along with other flags It is possible to set both MONITOR_FLAG_COOK_FRAMES and MONITOR_FLAG_ACTIVE flags simultaneously on the same monitor interface from the userspace. This causes a sub-interface to be created with no IEEE80211_SDATA_IN_DRIVER bit set because the monitor interface is in the cooked state and it takes precedence over all other states. When the interface is then being deleted th... • https://git.kernel.org/stable/c/66f7ac50ed7cc5c19a62bc97e8f6e7891004a03a •

CVE-2025-21877 – usbnet: gl620a: fix endpoint checking in genelink_bind()
https://notcve.org/view.php?id=CVE-2025-21877
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: gl620a: fix endpoint checking in genelink_bind() Syzbot reports [1] a warning in usb_submit_urb() triggered by inconsistencies between expected and actually present endpoints in gl620a driver. Since genelink_bind() does not properly verify whether specified eps are in fact provided by the device, in this case, an artificially manufactured one, one may get a mismatch. Fix the issue by resorting to a usbnet utility function usbnet_get... • https://git.kernel.org/stable/c/47ee3051c856cc2aa95d35d577a8cb37279d540f •

CVE-2025-21862 – drop_monitor: fix incorrect initialization order
https://notcve.org/view.php?id=CVE-2025-21862
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner: