Linux Kernel vulnerabilities

CVE-2023-53554 [HIGH] CWE-787 CVE-2023-53554: In the Linux kernel, the following vulnerability has been resolved: staging: ks7010: potential buff In the Linux kernel, the following vulnerability has been resolved: staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext() The "exc->key_len" is a u16 that comes from the user. If it's over IW_ENCODING_TOKEN_MAX (64) that could lead to memory corruption.

CVE-2025-39945 [HIGH] CWE-416 CVE-2025-39945: In the Linux kernel, the following vulnerability has been resolved: cnic: Fix use-after-free bugs i In the Linux kernel, the following vulnerability has been resolved: cnic: Fix use-after-free bugs in cnic_delete_task The original code uses cancel_delayed_work() in cnic_cm_stop_bnx2x_hw(), which does not guarantee that the delayed work item 'delete_task' has fully completed if it was already running. Additionally, the delayed work item is cyclic,

CVE-2023-53556 [HIGH] CWE-416 CVE-2023-53556: In the Linux kernel, the following vulnerability has been resolved: iavf: Fix use-after-free in fre In the Linux kernel, the following vulnerability has been resolved: iavf: Fix use-after-free in free_netdev We do netif_napi_add() for all allocated q_vectors[], but potentially do netif_napi_del() for part of them, then kfree q_vectors and leave invalid pointers at dev->napi_list. Reproducer: [root@host ~]# cat repro.sh #!/bin/bash pf_dbsf="0000

CVE-2023-53560 [HIGH] CWE-416 CVE-2023-53560: In the Linux kernel, the following vulnerability has been resolved: tracing/histograms: Add histogr In the Linux kernel, the following vulnerability has been resolved: tracing/histograms: Add histograms to hist_vars if they have referenced variables Hist triggers can have referenced variables without having direct variables fields. This can be the case if referenced variables are added for trigger actions. In this case the newly added references w

CVE-2023-53596 [HIGH] CWE-415 CVE-2023-53596: In the Linux kernel, the following vulnerability has been resolved: drivers: base: Free devm resour In the Linux kernel, the following vulnerability has been resolved: drivers: base: Free devm resources when unregistering a device In the current code, devres_release_all() only gets called if the device has a bus and has been probed. This leads to issues when using bus-less or driver-less devices where the device might never get freed if a managed

CVE-2023-53578 [HIGH] CWE-908 CVE-2023-53578: In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Fix an uninit variab In the Linux kernel, the following vulnerability has been resolved: net: qrtr: Fix an uninit variable access bug in qrtr_tx_resume() Syzbot reported a bug as following: BUG: KMSAN: uninit-value in qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230 qrtr_tx_resume+0x185/0x1f0 net/qrtr/af_qrtr.c:230 qrtr_endpoint_post+0xf85/0x11b0 net/qrtr/af_qrtr.c:51

CVE-2025-39943 [HIGH] CWE-125 CVE-2025-39943: In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbdirect: validate data In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbdirect: validate data_offset and data_length field of smb_direct_data_transfer If data_offset and data_length of smb_direct_data_transfer struct are invalid, out of bounds issue could happen. This patch validate data_offset and data_length field in recv_done.

CVE-2023-53572 [HIGH] CWE-416 CVE-2023-53572: In the Linux kernel, the following vulnerability has been resolved: clk: imx: scu: use _safe list i In the Linux kernel, the following vulnerability has been resolved: clk: imx: scu: use _safe list iterator to avoid a use after free This loop is freeing "clk" so it needs to use list_for_each_entry_safe(). Otherwise it dereferences a freed variable to get the next item on the loop.

CVE-2022-50497 [HIGH] CWE-125 CVE-2022-50497: In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: fix shift-out-of-b In the Linux kernel, the following vulnerability has been resolved: binfmt_misc: fix shift-out-of-bounds in check_special_flags UBSAN reported a shift-out-of-bounds warning: left shift of 1 by 31 places cannot be represented in type 'int' Call Trace: __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106 ubsan_epil

CVE-2023-53604 [HIGH] CVE-2023-53604: In the Linux kernel, the following vulnerability has been resolved: dm integrity: call kmem_cache_d In the Linux kernel, the following vulnerability has been resolved: dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path Otherwise the journal_io_cache will leak if dm_register_target() fails.

CVE-2025-39944 [HIGH] CWE-416 CVE-2025-39944: In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix use-after-fre In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: Fix use-after-free bugs in otx2_sync_tstamp() The original code relies on cancel_delayed_work() in otx2_ptp_destroy(), which does not ensure that the delayed work item synctstamp_work has fully completed if it was already running. This leads to use-after-free scenarios

CVE-2023-53577 [HIGH] CWE-401 CVE-2023-53577: In the Linux kernel, the following vulnerability has been resolved: bpf, cpumap: Make sure kthread In the Linux kernel, the following vulnerability has been resolved: bpf, cpumap: Make sure kthread is running before map update returns The following warning was reported when running stress-mode enabled xdp_redirect_cpu with some RT threads: ------------[ cut here ]------------ WARNING: CPU: 4 PID: 65 at kernel/bpf/cpumap.c:135 CPU: 4 PID: 65 Comm:

CVE-2022-50496 [HIGH] CWE-416 CVE-2022-50496: In the Linux kernel, the following vulnerability has been resolved: dm cache: Fix UAF in destroy() In the Linux kernel, the following vulnerability has been resolved: dm cache: Fix UAF in destroy() Dm_cache also has the same UAF problem when dm_resume() and dm_destroy() are concurrent. Therefore, cancelling timer again in destroy().

CVE-2023-53608 [HIGH] CWE-416 CVE-2023-53608: In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential UAF of st In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() The finalization of nilfs_segctor_thread() can race with nilfs_segctor_kill_thread() which terminates that thread, potentially causing a use-after-free BUG as KASAN detected. At the end of nilfs_segctor_thr

CVE-2023-53552 [HIGH] CWE-416 CVE-2023-53552: In the Linux kernel, the following vulnerability has been resolved: drm/i915: mark requests for GuC In the Linux kernel, the following vulnerability has been resolved: drm/i915: mark requests for GuC virtual engines to avoid use-after-free References to i915_requests may be trapped by userspace inside a sync_file or dmabuf (dma-resv) and held indefinitely across different proceses. To counter-act the memory leaks, we try to not to keep references

CVE-2023-53544 [HIGH] CWE-416 CVE-2023-53544: In the Linux kernel, the following vulnerability has been resolved: cpufreq: davinci: Fix clk use a In the Linux kernel, the following vulnerability has been resolved: cpufreq: davinci: Fix clk use after free The remove function first frees the clks and only then calls cpufreq_unregister_driver(). If one of the cpufreq callbacks is called just before cpufreq_unregister_driver() is run, the freed clks might be used.

CVE-2025-39951 [HIGH] CWE-416 CVE-2025-39951: In the Linux kernel, the following vulnerability has been resolved: um: virtio_uml: Fix use-after-f In the Linux kernel, the following vulnerability has been resolved: um: virtio_uml: Fix use-after-free after put_device in probe When register_virtio_device() fails in virtio_uml_probe(), the code sets vu_dev->registered = 1 even though the device was not successfully registered. This can lead to use-after-free or other issues.

CVE-2025-39935 [HIGH] CWE-787 CVE-2025-39935: In the Linux kernel, the following vulnerability has been resolved: ASoC: codec: sma1307: Fix memor In the Linux kernel, the following vulnerability has been resolved: ASoC: codec: sma1307: Fix memory corruption in sma1307_setting_loaded() The sma1307->set.header_size is how many integers are in the header (there are 8 of them) but instead of allocating space of 8 integers we allocate 8 bytes. This leads to memory corruption when we copy data it o

CVE-2022-50485 [MEDIUM] CVE-2022-50485: In the Linux kernel, the following vulnerability has been resolved: ext4: add EXT4_IGET_BAD flag to In the Linux kernel, the following vulnerability has been resolved: ext4: add EXT4_IGET_BAD flag to prevent unexpected bad inode There are many places that will get unhappy (and crash) when ext4_iget() returns a bad inode. However, if iget the boot loader inode, allows a bad inode to be returned, because the inode may not be initialized. This mechanism ca

CVE-2022-50505 [MEDIUM] CVE-2022-50505: In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix pci device refco In the Linux kernel, the following vulnerability has been resolved: iommu/amd: Fix pci device refcount leak in ppr_notifier() As comment of pci_get_domain_bus_and_slot() says, it returns a pci device with refcount increment, when finish using it, the caller must decrement the reference count by calling pci_dev_put(). So call it before returning from ppr_n