Linux Kernel vulnerabilities

CVE-2023-53550 [MEDIUM] CVE-2023-53550: In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: fix global In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: fix global sysfs attribute type In commit 3666062b87ec ("cpufreq: amd-pstate: move to use bus_get_dev_root()") the "amd_pstate" attributes where moved from a dedicated kobject to the cpu root kobject. While the dedicated kobject expects to contain kobj_attributes the

CVE-2025-39937 [MEDIUM] CWE-476 CVE-2025-39937: In the Linux kernel, the following vulnerability has been resolved: net: rfkill: gpio: Fix crash du In the Linux kernel, the following vulnerability has been resolved: net: rfkill: gpio: Fix crash due to dereferencering uninitialized pointer Since commit 7d5e9737efda ("net: rfkill: gpio: get the name and type from device property") rfkill_find_type() gets called with the possibly uninitialized "const char *type_name;" local variable. On x86 sys

CVE-2022-50502 CVE-2022-50502: In the Linux kernel, the following vulnerability has been resolved: mm: /proc/pid/smaps_rollup: fix no vma's null-deref Commit 258f669e7e88 ("mm: /pro In the Linux kernel, the following vulnerability has been resolved: mm: /proc/pid/smaps_rollup: fix no vma's null-deref Commit 258f669e7e88 ("mm: /proc/pid/smaps_rollup: convert to single value seq_file") introduced a null-deref if there are no vma's in the task in show_smaps_rollup.

CVE-2022-50495 CVE-2022-50495: In the Linux kernel, the following vulnerability has been resolved: x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() These local variables @{resch In the Linux kernel, the following vulnerability has been resolved: x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() These local variables @{resched|pmu|callfunc...}_name saves the new string allocated by kasprintf(), and when bind_{v}ipi_to_irqhandler() fails, it goes to the @fail tag, and calls xen_smp_intr_fre

CVE-2022-50487 CVE-2022-50487: In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buffer overflow in NFSv3 READDIR Since before the git e In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buffer overflow in NFSv3 READDIR Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there

CVE-2022-50437 [HIGH] CWE-787 CVE-2022-50437: In the Linux kernel, the following vulnerability has been resolved: drm/msm/hdmi: fix memory corrup In the Linux kernel, the following vulnerability has been resolved: drm/msm/hdmi: fix memory corruption with too many bridges Add the missing sanity check on the bridge counter to avoid corrupting data beyond the fixed-sized bridge array in case there are ever more than eight bridges. Patchwork: https://patchwork.freedesktop.org/patch/502670/

CVE-2023-53515 [HIGH] CWE-416 CVE-2023-53515: In the Linux kernel, the following vulnerability has been resolved: virtio-mmio: don't break lifecy In the Linux kernel, the following vulnerability has been resolved: virtio-mmio: don't break lifecycle of vm_dev vm_dev has a separate lifecycle because it has a 'struct device' embedded. Thus, having a release callback for it is correct. Allocating the vm_dev struct with devres totally breaks this protection, though. Instead of waiting for the vm_

CVE-2023-53508 [HIGH] CVE-2023-53508: In the Linux kernel, the following vulnerability has been resolved: ublk: fail to start device if q In the Linux kernel, the following vulnerability has been resolved: ublk: fail to start device if queue setup is interrupted In ublk_ctrl_start_dev(), if wait_for_completion_interruptible() is interrupted by signal, queues aren't setup successfully yet, so we have to fail UBLK_CMD_START_DEV, otherwise kernel oops can be triggered. Reported by German when w

CVE-2023-53473 [HIGH] CVE-2023-53473: In the Linux kernel, the following vulnerability has been resolved: ext4: improve error handling fr In the Linux kernel, the following vulnerability has been resolved: ext4: improve error handling from ext4_dirhash() The ext4_dirhash() will *almost* never fail, especially when the hash tree feature was first introduced. However, with the addition of support of encrypted, casefolded file names, that function can most certainly fail today. So make sure the

CVE-2025-39913 [HIGH] CVE-2025-39913: In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Call sk_msg_free() whe In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: Call sk_msg_free() when tcp_bpf_send_verdict() fails to allocate psock->cork. syzbot reported the splat below. [0] The repro does the following: 1. Load a sk_msg prog that calls bpf_msg_cork_bytes(msg, cork_bytes) 2. Attach the prog to a SOCKMAP 3. Add a socket to the SOCKMAP 4.

CVE-2023-53516 [HIGH] CVE-2023-53516: In the Linux kernel, the following vulnerability has been resolved: macvlan: add forgotten nla_poli In the Linux kernel, the following vulnerability has been resolved: macvlan: add forgotten nla_policy for IFLA_MACVLAN_BC_CUTOFF The previous commit 954d1fa1ac93 ("macvlan: Add netlink attribute for broadcast cutoff") added one additional attribute named IFLA_MACVLAN_BC_CUTOFF to allow broadcast cutfoff. However, it forgot to describe the nla_policy at mac

CVE-2025-39896 [HIGH] CWE-416 CVE-2025-39896: In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Prevent recovery wo In the Linux kernel, the following vulnerability has been resolved: accel/ivpu: Prevent recovery work from being queued during device removal Use disable_work_sync() instead of cancel_work_sync() in ivpu_dev_fini() to ensure that no new recovery work items can be queued after device removal has started. Previously, recovery work could be scheduled e

CVE-2025-39905 [HIGH] CWE-362 CVE-2025-39905: In the Linux kernel, the following vulnerability has been resolved: net: phylink: add lock for seri In the Linux kernel, the following vulnerability has been resolved: net: phylink: add lock for serializing concurrent pl->phydev writes with resolver Currently phylink_resolve() protects itself against concurrent phylink_bringup_phy() or phylink_disconnect_phy() calls which modify pl->phydev by relying on pl->state_mutex. The problem is that in phy

CVE-2025-39922 [HIGH] CWE-125 CVE-2025-39922: In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix incorrect map used i In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix incorrect map used in eee linkmode incorrectly used ixgbe_lp_map in loops intended to populate the supported and advertised EEE linkmode bitmaps based on ixgbe_ls_map. This results in incorrect bit setting and potential out-of-bounds access, since ixgbe_lp_map and ixgbe_l

CVE-2023-53504 [HIGH] CWE-416 CVE-2023-53504: In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Properly order ib In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Properly order ib_device_unalloc() to avoid UAF ib_dealloc_device() should be called only after device cleanup. Fix the dealloc sequence.

CVE-2023-53485 [HIGH] CWE-129 CVE-2023-53485: In the Linux kernel, the following vulnerability has been resolved: fs: jfs: Fix UBSAN: array-index In the Linux kernel, the following vulnerability has been resolved: fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev Syzkaller reported the following issue: UBSAN: array-index-out-of-bounds in fs/jfs/jfs_dmap.c:1965:6 index -84 is out of range for type 's8[341]' (aka 'signed char[341]') CPU: 1 PID: 4995 Comm: syz-executor146 Not tain

CVE-2023-53500 [HIGH] CWE-416 CVE-2023-53500: In the Linux kernel, the following vulnerability has been resolved: xfrm: fix slab-use-after-free i In the Linux kernel, the following vulnerability has been resolved: xfrm: fix slab-use-after-free in decode_session6 When the xfrm device is set to the qdisc of the sfb type, the cb field of the sent skb may be modified during enqueuing. Then, slab-use-after-free may occur when the xfrm device sends IPv6 packets. The stack information is as follows

CVE-2023-53522 [HIGH] CVE-2023-53522: In the Linux kernel, the following vulnerability has been resolved: cgroup,freezer: hold cpu_hotplu In the Linux kernel, the following vulnerability has been resolved: cgroup,freezer: hold cpu_hotplug_lock before freezer_mutex syzbot is reporting circular locking dependency between cpu_hotplug_lock and freezer_mutex, for commit f5d39b020809 ("freezer,sched: Rewrite core freezer logic") replaced atomic_inc() in freezer_apply_state() with static_branch_inc(

CVE-2023-53521 [HIGH] CWE-125 CVE-2023-53521: In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix slab-out-of-boun In the Linux kernel, the following vulnerability has been resolved: scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() A fix for: BUG: KASAN: slab-out-of-bounds in ses_intf_remove+0x23f/0x270 [ses] Read of size 8 at addr ffff88a10d32e5d8 by task rmmod/12013 When edev->components is zero, accessing edev->component[0] members is wrong.

CVE-2023-53510 [HIGH] CWE-415 CVE-2023-53510: In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix handling o In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix handling of lrbp->cmd ufshcd_queuecommand() may be called two times in a row for a SCSI command before it is completed. Hence make the following changes: - In the functions that submit a command, do not check the old value of lrbp->cmd nor clear lrbp->cmd in er