Linux Kernel vulnerabilities

CVE-2025-39973 CVE-2025-39973: In the Linux kernel, the following vulnerability has been resolved: i40e: add validation for ring_len param The `ring_len` parameter provided by the v In the Linux kernel, the following vulnerability has been resolved: i40e: add validation for ring_len param The `ring_len` parameter provided by the virtual function (VF) is assigned directly to the hardware memory context (HMC) without any validation. To address this, introduce an upper boundary check for both Tx an

CVE-2025-39992 mm: swap: check for stable address space before operating on the VMA mm: swap: check for stable address space before operating on the VMA In the Linux kernel, the following vulnerability has been resolved: mm: swap: check for stable address space before operating on the VMA It is possible to hit a zero entry while traversing the vmas in unuse_mm() called from swapoff path and accessing it causes the OOPS: Unable to handle kernel NULL pointer dereference at virtual address 0000

CVE-2025-39975 smb: client: fix wrong index reference in smb2_compound_op() smb: client: fix wrong index reference in smb2_compound_op() In the Linux kernel, the following vulnerability has been resolved: smb: client: fix wrong index reference in smb2_compound_op() In smb2_compound_op(), the loop that processes each command's response uses wrong indices when accessing response bufferes. This incorrect indexing leads to improper handling of command results. Also, if incorrectly computed index

CVE-2025-39978 octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix potential use after free in otx2_tc_add_flow() This code calls kfree_rcu(new_node, rcu) and then dereferences "new_node" and then dereferences it on the next line. Two lines later, we take a mutex so I don't think this is an RCU safe region. Re-order it to do the de

CVE-2025-39980 CVE-2025-39980: In the Linux kernel, the following vulnerability has been resolved: nexthop: Forbid FDB status change while nexthop is in a group The kernel forbids t In the Linux kernel, the following vulnerability has been resolved: nexthop: Forbid FDB status change while nexthop is in a group The kernel forbids the creation of non-FDB nexthop groups with FDB nexthops: # ip nexthop add id 1 via 192.0.2.1 fdb # ip nexthop add id 2 group 1 Error: Non FDB nexthop group cannot have

CVE-2025-39994 media: tuner: xc5000: Fix use-after-free in xc5000_release media: tuner: xc5000: Fix use-after-free in xc5000_release In the Linux kernel, the following vulnerability has been resolved: media: tuner: xc5000: Fix use-after-free in xc5000_release The original code uses cancel_delayed_work() in xc5000_release(), which does not guarantee that the delayed work item timer_sleep has fully completed if it was already running. This leads to use-after-free scenarios where xc5000_release(

CVE-2025-39995 CVE-2025-39995: In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe The In the Linux kernel, the following vulnerability has been resolved: media: i2c: tc358743: Fix use-after-free bugs caused by orphan timer in probe The state->timer is a cyclic timer that schedules work_i2c_poll and delayed_work_enable_hotplug, while rearming itself. Using timer_delete() fails to guarantee the timer isn

CVE-2025-39970 i40e: fix input validation logic for action_meta i40e: fix input validation logic for action_meta In the Linux kernel, the following vulnerability has been resolved: i40e: fix input validation logic for action_meta Fix condition to check 'greater or equal' to prevent OOB dereference.

CVE-2025-39965 [MEDIUM] CVE-2025-39965: In the Linux kernel, the following vulnerability has been resolved: xfrm: xfrm_alloc_spi shouldn't In the Linux kernel, the following vulnerability has been resolved: xfrm: xfrm_alloc_spi shouldn't use 0 as SPI x->id.spi == 0 means "no SPI assigned", but since commit 94f39804d891 ("xfrm: Duplicate SPI Handling"), we now create states and add them to the byspi list with this value. __xfrm_state_delete doesn't remove those states from the byspi list, sin

CVE-2025-39964 [LOW] CVE-2025-39964: In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concu In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Disallow concurrent writes in af_alg_sendmsg Issuing two writes to the same af_alg socket is bogus as the data will be interleaved in an unpredictable fashion. Furthermore, concurrent writes may create inconsistencies in the internal socket state. Disallow this by adding a

CVE-2025-39963 [HIGH] CWE-401 CVE-2025-39963: In the Linux kernel, the following vulnerability has been resolved: io_uring: fix incorrect io_kioc In the Linux kernel, the following vulnerability has been resolved: io_uring: fix incorrect io_kiocb reference in io_link_skb In io_link_skb function, there is a bug where prev_notif is incorrectly assigned using 'nd' instead of 'prev_nd'. This causes the context validation check to compare the current notification with itself instead of comparing i

CVE-2025-39958 [HIGH] CVE-2025-39958: In the Linux kernel, the following vulnerability has been resolved: iommu/s390: Make attach succeed In the Linux kernel, the following vulnerability has been resolved: iommu/s390: Make attach succeed when the device was surprise removed When a PCI device is removed with surprise hotplug, there may still be attempts to attach the device to the default domain as part of tear down via (__iommu_release_dma_ownership()), or because the removal happens during p

CVE-2025-39962 [HIGH] CWE-787 CVE-2025-39962: In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix untrusted unsigned s In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix untrusted unsigned subtract Fix the following Smatch static checker warning: net/rxrpc/rxgk_app.c:65 rxgk_yfs_decode_ticket() warn: untrusted unsigned subtract. 'ticket_len - 10 * 4' by prechecking the length of what we're trying to extract in two places in the token an

CVE-2025-39957 [HIGH] CVE-2025-39957: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: increase scan_i In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: increase scan_ies_len for S1G Currently the S1G capability element is not taken into account for the scan_ies_len, which leads to a buffer length validation failure in ieee80211_prep_hw_scan() and subsequent WARN in __ieee80211_start_scan(). This prevents hw scanning from fu

CVE-2025-39955 [HIGH] CVE-2025-39955: In the Linux kernel, the following vulnerability has been resolved: tcp: Clear tcp_sk(sk)->fastopen In the Linux kernel, the following vulnerability has been resolved: tcp: Clear tcp_sk(sk)->fastopen_rsk in tcp_disconnect(). syzbot reported the splat below where a socket had tcp_sk(sk)->fastopen_rsk in the TCP_ESTABLISHED state. [0] syzbot reused the server-side TCP Fast Open socket as a new client before the TFO socket completes 3WHS: 1. accept() 2. co

CVE-2025-39960 [HIGH] CVE-2025-39960: In the Linux kernel, the following vulnerability has been resolved: gpiolib: acpi: initialize acpi_ In the Linux kernel, the following vulnerability has been resolved: gpiolib: acpi: initialize acpi_gpio_info struct Since commit 7c010d463372 ("gpiolib: acpi: Make sure we fill struct acpi_gpio_info"), uninitialized acpi_gpio_info struct are passed to __acpi_find_gpio() and later in the call stack info->quirks is used in acpi_populate_gpio_lookup. This brea

CVE-2025-39956 [MEDIUM] CVE-2025-39956: In the Linux kernel, the following vulnerability has been resolved: igc: don't fail igc_probe() on In the Linux kernel, the following vulnerability has been resolved: igc: don't fail igc_probe() on LED setup error When igc_led_setup() fails, igc_probe() fails and triggers kernel panic in free_netdev() since unregister_netdev() is not called. [1] This behavior can be tested using fault-injection framework, especially the failslab feature. [2] Since LED

CVE-2025-39959 [MEDIUM] CWE-476 CVE-2025-39959: In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp: Fix incorrect r In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp: Fix incorrect retrival of acp_chip_info Use dev_get_drvdata(dev->parent) instead of dev_get_platdata(dev) to correctly obtain acp_chip_info members in the acp I2S driver. Previously, some members were not updated properly due to incorrect data access, which could p

CVE-2025-39954 [MEDIUM] CWE-369 CVE-2025-39954: In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: mp: Fix dual-div In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: mp: Fix dual-divider clock rate readback When dual-divider clock support was introduced, the P divider offset was left out of the .recalc_rate readback function. This causes the clock rate to become bogus or even zero (possibly due to the P divider being 1, leading

CVE-2025-39961 [MEDIUM] CWE-362 CVE-2025-39961: In the Linux kernel, the following vulnerability has been resolved: iommu/amd/pgtbl: Fix possible r In the Linux kernel, the following vulnerability has been resolved: iommu/amd/pgtbl: Fix possible race while increase page table level The AMD IOMMU host page table implementation supports dynamic page table levels (up to 6 levels), starting with a 3-level configuration that expands based on IOVA address. The kernel maintains a root pointer and cu