CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2025-38498 – do_change_type(): refuse to operate on unmounted/not ours mounts
https://notcve.org/view.php?id=CVE-2025-38498
30 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: do_change_type(): refuse to operate on unmounted/not ours mounts Ensure that propagation settings can only be changed for mounts located in the caller's mount namespace. This change aligns permission checking with the rest of mount(2). • https://git.kernel.org/stable/c/07b20889e3052c7e77d6a6a54e7e83446eb1ba84 •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38497 – usb: gadget: configfs: Fix OOB read on empty string write
https://notcve.org/view.php?id=CVE-2025-38497
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: configfs: Fix OOB read on empty string write When writing an empty string to either 'qw_sign' or 'landingPage' sysfs attributes, the store functions attempt to access page[l - 1] before validating that the length 'l' is greater than zero. This patch fixes the vulnerability by adding a check at the beginning of os_desc_qw_sign_store() and webusb_landingPage_store() to handle the zero-length input case gracefully by returning imm... • https://git.kernel.org/stable/c/2798111f8e504ac747cce911226135d50b8de468 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38495 – HID: core: ensure the allocated report buffer can contain the reserved report ID
https://notcve.org/view.php?id=CVE-2025-38495
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated report buffer can contain the reserved report ID When the report ID is not used, the low level transport drivers expect the first byte to be 0. However, currently the allocated buffer not account for that extra byte, meaning that instead of having 8 guaranteed bytes for implement to be working, we only have 7. In the Linux kernel, the following vulnerability has been resolved: HID: core: ensure the allocated ... • https://git.kernel.org/stable/c/d3ed1d84a84538a39b3eb2055d6a97a936c108f2 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38494 – HID: core: do not bypass hid_hw_raw_request
https://notcve.org/view.php?id=CVE-2025-38494
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and length are valid. Directly calling in the low level transport driver function bypassed those checks and allowed invalid paramto be used. In the Linux kernel, the following vulnerability has been resolved: HID: core: do not bypass hid_hw_raw_request hid_hw_raw_request() is actually useful to ensure the provided buffer and len... • https://git.kernel.org/stable/c/a62a895edb2bfebffa865b5129a66e3b4287f34f •
CVSS: 8.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38483 – comedi: das16m1: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38483
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: das16m1: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* only irqs 2, 3, 4, 5, 6, 7, 10, 11, 12, 14, and 15 are valid */ if ((1 << it->options[1]) & 0xdcfc) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original... • https://git.kernel.org/stable/c/729988507680b2ce934bce61d9ce0ea7b235914c •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38482 – comedi: das6402: Fix bit shift out of bounds
https://notcve.org/view.php?id=CVE-2025-38482
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: das6402: Fix bit shift out of bounds When checking for a supported IRQ number, the following test is used: /* IRQs 2,3,5,6,7, 10,11,15 are valid for "enhanced" mode */ if ((1 << it->options[1]) & 0x8cec) { However, `it->options[i]` is an unchecked `int` value from userspace, so the shift amount could be negative or out of bounds. Fix the test by requiring `it->options[1]` to be within bounds before proceeding with the original test.... • https://git.kernel.org/stable/c/79e5e6addbb18bf56075f0ff552094a28636dd03 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38481 – comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large
https://notcve.org/view.php?id=CVE-2025-38481
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large The handling of the `COMEDI_INSNLIST` ioctl allocates a kernel buffer to hold the array of `struct comedi_insn`, getting the length from the `n_insns` member of the `struct comedi_insnlist` supplied by the user. The allocation will fail with a WARNING and a stack dump if it is too large. Avoid that by failing with an `-EINVAL` error if the supplied `n_insns` value is unreasonable. D... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38480 – comedi: Fix use of uninitialized data in insn_rw_emulate_bits()
https://notcve.org/view.php?id=CVE-2025-38480
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix use of uninitialized data in insn_rw_emulate_bits() For Comedi `INSN_READ` and `INSN_WRITE` instructions on "digital" subdevices (subdevice types `COMEDI_SUBD_DI`, `COMEDI_SUBD_DO`, and `COMEDI_SUBD_DIO`), it is common for the subdevice driver not to have `insn_read` and `insn_write` handler functions, but to have an `insn_bits` handler function for handling Comedi `INSN_BITS` instructions. In that case, the subdevice's `insn_re... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38478 – comedi: Fix initialization of data for instructions that write to subdevice
https://notcve.org/view.php?id=CVE-2025-38478
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: comedi: Fix initialization of data for instructions that write to subdevice Some Comedi subdevice instruction handlers are known to access instruction data elements beyond the first `insn->n` elements in some cases. The `do_insn_ioctl()` and `do_insnlist_ioctl()` functions allocate at least `MIN_SAMPLES` (16) data elements to deal with this, but they do not initialize all of that. For Comedi instruction codes that write to the subdevice, th... • https://git.kernel.org/stable/c/ed9eccbe8970f6eedc1b978c157caf1251a896d4 •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2025-38477 – net/sched: sch_qfq: Fix race condition on qfq_aggregate
https://notcve.org/view.php?id=CVE-2025-38477
28 Jul 2025 — In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix race condition on qfq_aggregate A race condition can occur when 'agg' is modified in qfq_change_agg (called during qfq_enqueue) while other threads access it concurrently. For example, qfq_dump_class may trigger a NULL dereference, and qfq_delete_class may cause a use-after-free. This patch addresses the issue by: 1. Moved qfq_destroy_class into the critical section. 2. Added sch_tree_lock protection to qfq_dump_clas... • https://git.kernel.org/stable/c/462dbc9101acd38e92eda93c0726857517a24bbd •