CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40066 – wifi: mt76: mt7996: Check phy before init msta_link in mt7996_mac_sta_add_links()
https://notcve.org/view.php?id=CVE-2025-40066
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Check phy before init msta_link in mt7996_mac_sta_add_links() In order to avoid a possible NULL pointer dereference in mt7996_mac_sta_init_link routine, move the phy pointer check before running mt7996_mac_sta_init_link() in mt7996_mac_sta_add_links routine. In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Check phy before init msta_link in mt7996_mac_sta_add_links() In order to avo... • https://git.kernel.org/stable/c/dd82a9e02c054052b5899872c1f32805428f6131 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40065 – RISC-V: KVM: Write hgatp register with valid mode bits
https://notcve.org/view.php?id=CVE-2025-40065
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: RISC-V: KVM: Write hgatp register with valid mode bits According to the RISC-V Privileged Architecture Spec, when MODE=Bare is selected,software must write zero to the remaining fields of hgatp. We have detected the valid mode supported by the HW before, So using a valid mode to detect how many vmid bits are supported. In the Linux kernel, the following vulnerability has been resolved: RISC-V: KVM: Write hgatp register with valid mode bits ... • https://git.kernel.org/stable/c/fd7bb4a251dfc1da3496bf59a4793937c13e8c1f •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40064 – smc: Fix use-after-free in __pnet_find_base_ndev().
https://notcve.org/view.php?id=CVE-2025-40064
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: smc: Fix use-after-free in __pnet_find_base_ndev(). syzbot reported use-after-free of net_device in __pnet_find_base_ndev(), which was called during connect(). [0] smc_pnet_find_ism_resource() fetches sk_dst_get(sk)->dev and passes down to pnet_find_base_ndev(), where RTNL is held. Then, UAF happened at __pnet_find_base_ndev() when the dev is first used. This means dev had already been freed before acquiring RTNL in pnet_find_base_ndev(). W... • https://git.kernel.org/stable/c/0afff91c6f5ecef27715ea71e34dc2baacba1060 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40063 – crypto: comp - Use same definition of context alloc and free ops
https://notcve.org/view.php?id=CVE-2025-40063
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: comp - Use same definition of context alloc and free ops In commit 42d9f6c77479 ("crypto: acomp - Move scomp stream allocation code into acomp"), the crypto_acomp_streams struct was made to rely on having the alloc_ctx and free_ctx operations defined in the same order as the scomp_alg struct. But in that same commit, the alloc_ctx and free_ctx members of scomp_alg may be randomized by structure layout randomization, since they are c... • https://git.kernel.org/stable/c/42d9f6c774790d290c175e8775ce9f1366438098 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40062 – crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs
https://notcve.org/view.php?id=CVE-2025-40062
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs When the initialization of qm->debug.acc_diff_reg fails, the probe process does not exit. However, after qm->debug.qm_diff_regs is freed, it is not set to NULL. This can lead to a double free when the remove process attempts to free it again. Therefore, qm->debug.qm_diff_regs should be set to NULL after it is freed. In the Linux kernel, the following vulnerability has been resolved: ... • https://git.kernel.org/stable/c/eda60520cfe3aba9f088c68ebd5bcbca9fc6ac3c •
CVSS: 6.3EPSS: 0%CPEs: 4EXPL: 0CVE-2025-40061 – RDMA/rxe: Fix race in do_task() when draining
https://notcve.org/view.php?id=CVE-2025-40061
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix race in do_task() when draining When do_task() exhausts its iteration budget (!ret), it sets the state to TASK_STATE_IDLE to reschedule, without a secondary check on the current task->state. This can overwrite the TASK_STATE_DRAINING state set by a concurrent call to rxe_cleanup_task() or rxe_disable_task(). While state changes are protected by a spinlock, both rxe_cleanup_task() and rxe_disable_task() release the lock while w... • https://git.kernel.org/stable/c/9b4b7c1f9f54120940e243251e2b1407767b3381 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2025-40060 – coresight: trbe: Return NULL pointer for allocation failures
https://notcve.org/view.php?id=CVE-2025-40060
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: coresight: trbe: Return NULL pointer for allocation failures When the TRBE driver fails to allocate a buffer, it currently returns the error code "-ENOMEM". However, the caller etm_setup_aux() only checks for a NULL pointer, so it misses the error. As a result, the driver continues and eventually causes a kernel panic. Fix this by returning a NULL pointer from arm_trbe_alloc_buffer() on allocation failures. This allows that the callers can ... • https://git.kernel.org/stable/c/3fbf7f011f2426dac8c982f1d2ef469a7959a524 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40059 – coresight: Fix incorrect handling for return value of devm_kzalloc
https://notcve.org/view.php?id=CVE-2025-40059
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: coresight: Fix incorrect handling for return value of devm_kzalloc The return value of devm_kzalloc could be an null pointer, use "!desc.pdata" to fix incorrect handling return value of devm_kzalloc. In the Linux kernel, the following vulnerability has been resolved: coresight: Fix incorrect handling for return value of devm_kzalloc The return value of devm_kzalloc could be an null pointer, use "!desc.pdata" to fix incorrect handling return... • https://git.kernel.org/stable/c/4277f035d227e829133df284be7e35b7236a5b0f •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40058 – iommu/vt-d: Disallow dirty tracking if incoherent page walk
https://notcve.org/view.php?id=CVE-2025-40058
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Disallow dirty tracking if incoherent page walk Dirty page tracking relies on the IOMMU atomically updating the dirty bit in the paging-structure entry. For this operation to succeed, the paging- structure memory must be coherent between the IOMMU and the CPU. In another word, if the iommu page walk is incoherent, dirty page tracking doesn't work. The Intel VT-d specification, Section 3.10 "Snoop Behavior" states: "Remapping har... • https://git.kernel.org/stable/c/f35f22cc760eb2c7034bf53251399685d611e03f •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-40057 – ptp: Add a upper bound on max_vclocks
https://notcve.org/view.php?id=CVE-2025-40057
28 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ptp: Add a upper bound on max_vclocks syzbot reported WARNING in max_vclocks_store. This occurs when the argument max is too large for kcalloc to handle. Extend the guard to guard against values that are too large for kcalloc In the Linux kernel, the following vulnerability has been resolved: ptp: Add a upper bound on max_vclocks syzbot reported WARNING in max_vclocks_store. This occurs when the argument max is too large for kcalloc to hand... • https://git.kernel.org/stable/c/73f37068d540eba5f93ba3a0019bf479d35ebd76 •