CVSS: 9.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21866 – powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC
https://notcve.org/view.php?id=CVE-2025-21866
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x8... • https://git.kernel.org/stable/c/37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 •
CVSS: 7.2EPSS: %CPEs: 8EXPL: 0CVE-2025-21865 – gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl().
https://notcve.org/view.php?id=CVE-2025-21865
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: gtp: Suppress list corruption splat in gtp_net_exit_batch_rtnl(). Brad Spengler reported the list_del() corruption splat in gtp_net_exit_batch_rtnl(). [0] Commit eb28fd76c0a0 ("gtp: Destroy device along with udp socket's netns dismantle.") added the for_each_netdev() loop in gtp_net_exit_batch_rtnl() to destroy devices in each netns as done in geneve and ip tunnels. However, this could trigger ->dellink() twice for the same device during ->... • https://git.kernel.org/stable/c/efec287cbac92ac6ee8312a89221854760e13b34 •
CVSS: 6.6EPSS: %CPEs: 5EXPL: 0CVE-2025-21862 – drop_monitor: fix incorrect initialization order
https://notcve.org/view.php?id=CVE-2025-21862
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner:
CVSS: 9.8EPSS: %CPEs: 3EXPL: 0CVE-2025-21861 – mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize()
https://notcve.org/view.php?id=CVE-2025-21861
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/migrate_device: don't add folio to be freed to LRU in migrate_device_finalize() If migration succeeded, we called folio_migrate_flags()->mem_cgroup_migrate() to migrate the memcg from the old to the new folio. This will set memcg_data of the old folio to 0. Similarly, if migration failed, memcg_data of the dst folio is left unset. If we call folio_putback_lru() on such folios (memcg_data == 0), we will add the folio to be freed to the LR... • https://git.kernel.org/stable/c/8763cb45ab967a92a5ee49e9c544c0f0ea90e2d6 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2025-21859 – USB: gadget: f_midi: f_midi_complete to call queue_work
https://notcve.org/view.php?id=CVE-2025-21859
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When using USB MIDI, a lock is attempted to be acquired twice through a re-entrant call to f_midi_transmit, causing a deadlock. Fix it by using queue_work() to schedule the inner f_midi_transmit() via a high priority work queue from the completion handler. In the Linux kernel, the following vulnerability has been resolved: USB: gadget: f_midi: f_midi_complete to call queue_work When us... • https://git.kernel.org/stable/c/d5daf49b58661ec4af7a55b277176efbf945ca05 •
CVSS: 7.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21858 – geneve: Fix use-after-free in geneve_find_dev().
https://notcve.org/view.php?id=CVE-2025-21858
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in geneve_find_dev(). syzkaller reported a use-after-free in geneve_find_dev() [0] without repro. geneve_configure() links struct geneve_dev.next to net_generic(net, geneve_net_id)->geneve_list. The net here could differ from dev_net(dev) if IFLA_NET_NS_PID, IFLA_NET_NS_FD, or IFLA_TARGET_NETNSID is set. When dev_net(dev) is dismantled, geneve_exit_batch_rtnl() finally calls unregister_netdevice_queue() for each d... • https://git.kernel.org/stable/c/2d07dc79fe04a43d82a346ced6bbf07bdb523f1b • CWE-416: Use After Free •
CVSS: 9.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21855 – ibmvnic: Don't reference skb after sending to VIOS
https://notcve.org/view.php?id=CVE-2025-21855
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS, the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the buffer to the VIOS because, at any point after sending, the VIOS can trigger an interrupt to free this memory. A race between reading skb->len and freeing the skb is possible (especially during LPM) and will res... • https://git.kernel.org/stable/c/032c5e82847a2214c3196a90f0aeba0ce252de58 •
CVSS: 9.8EPSS: %CPEs: 5EXPL: 0CVE-2025-21848 – nfp: bpf: Add check for nfp_app_ctrl_msg_alloc()
https://notcve.org/view.php?id=CVE-2025-21848
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() Add check for the return value of nfp_app_ctrl_msg_alloc() in nfp_bpf_cmsg_alloc() to prevent null pointer dereference. In the Linux kernel, the following vulnerability has been resolved: nfp: bpf: Add check for nfp_app_ctrl_msg_alloc() Add check for the return value of nfp_app_ctrl_msg_alloc() in nfp_bpf_cmsg_alloc() to prevent null pointer dereference. • https://git.kernel.org/stable/c/ff3d43f7568c82b335d7df2d40a31447c3fce10c •
CVSS: 7.1EPSS: %CPEs: 5EXPL: 0CVE-2025-21846 – acct: perform last write from workqueue
https://notcve.org/view.php?id=CVE-2025-21846
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: acct: perform last write from workqueue In [1] it was reported that the acct(2) system call can be used to trigger NULL deref in cases where it is set to write to a file that triggers an internal lookup. This can e.g., happen when pointing acc(2) to /sys/power/resume. At the point the where the write to this file happens the calling task has already exited and called exit_fs(). A lookup will thus trigger a NULL-deref when accessing current-... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.3EPSS: %CPEs: 4EXPL: 0CVE-2024-58089 – btrfs: fix double accounting race when btrfs_run_delalloc_range() failed
https://notcve.org/view.php?id=CVE-2024-58089
12 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix double accounting race when btrfs_run_delalloc_range() failed [BUG] When running btrfs with block size (4K) smaller than page size (64K, aarch64), there is a very high chance to crash the kernel at generic/750, with the following messages: (before the call traces, there are 3 extra debug messages added) BTRFS warning (device dm-3): read-write for sector size 4096 with page size 65536 is experimental BTRFS info (device dm-3): chec... • https://git.kernel.org/stable/c/d1051d6ebf8ef3517a5a3cf82bba8436d190f1c2 •