Linux Kernel vulnerabilities

CVE-2025-39901 [HIGH] CWE-125 CVE-2025-39901: In the Linux kernel, the following vulnerability has been resolved: i40e: remove read access to deb In the Linux kernel, the following vulnerability has been resolved: i40e: remove read access to debugfs files The 'command' and 'netdev_ops' debugfs files are a legacy debugging interface supported by the i40e driver since its early days by commit 02e9c290814c ("i40e: debugfs interface"). Both of these debugfs files provide a read handler which is

CVE-2023-53487 [HIGH] CVE-2023-53487: In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas_flash: allow user In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas_flash: allow user copy to flash block cache objects With hardened usercopy enabled (CONFIG_HARDENED_USERCOPY=y), using the /proc/powerpc/rtas/firmware_update interface to prepare a system firmware update yields a BUG(): kernel BUG at mm/usercopy.c:102! Oops: Exception in kernel

CVE-2021-4460 [HIGH] CWE-125 CVE-2021-4460: In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix UBSAN shift-out In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix UBSAN shift-out-of-bounds warning If get_num_sdma_queues or get_num_xgmi_sdma_queues is 0, we end up doing a shift operation where the number of bits shifted equals number of bits in the operand. This behaviour is undefined. Set num_sdma_queues or num_xgmi_sdma_queues

CVE-2023-53479 [HIGH] CWE-416 CVE-2023-53479: In the Linux kernel, the following vulnerability has been resolved: cxl/acpi: Fix a use-after-free In the Linux kernel, the following vulnerability has been resolved: cxl/acpi: Fix a use-after-free in cxl_parse_cfmws() KASAN and KFENCE detected an user-after-free in the CXL driver. This happens in the cxl_decoder_add() fail path. KASAN prints the following error: BUG: KASAN: slab-use-after-free in cxl_parse_cfmws (drivers/cxl/acpi.c:299) This ha

CVE-2022-50423 [HIGH] CWE-416 CVE-2022-50423: In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix use-after-free in a In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() There is an use-after-free reported by KASAN: BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82 Read of size 1 at addr ffff888112afc460 by task modprobe/2111 CPU: 0 PID: 2111 Comm: modprobe Not tainted

CVE-2023-53484 [HIGH] CWE-416 CVE-2023-53484: In the Linux kernel, the following vulnerability has been resolved: lib: cpu_rmap: Avoid use after In the Linux kernel, the following vulnerability has been resolved: lib: cpu_rmap: Avoid use after free on rmap->obj array entries When calling irq_set_affinity_notifier() with NULL at the notify argument, it will cause freeing of the glue pointer in the corresponding array entry but will leave the pointer in the array. A subsequent call to free_irq_

CVE-2022-50442 [HIGH] CWE-125 CVE-2022-50442: In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Validate buffer lengt In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Validate buffer length while parsing index indx_read is called when we have some NTFS directory operations that need more information from the index buffers. This adds a sanity check to make sure the returned index buffer length is legit, or we may have some out-of-bound m

CVE-2025-39911 [HIGH] CVE-2025-39911: In the Linux kernel, the following vulnerability has been resolved: i40e: fix IRQ freeing in i40e_v In the Linux kernel, the following vulnerability has been resolved: i40e: fix IRQ freeing in i40e_vsi_request_irq_msix error path If request_irq() in i40e_vsi_request_irq_msix() fails in an iteration later than the first, the error path wants to free the IRQs requested so far. However, it uses the wrong dev_id argument for free_irq(), so it does not free th

CVE-2023-53493 [HIGH] CVE-2023-53493: In the Linux kernel, the following vulnerability has been resolved: accel/qaic: tighten bounds chec In the Linux kernel, the following vulnerability has been resolved: accel/qaic: tighten bounds checking in decode_message() Copy the bounds checking from encode_message() to decode_message(). This patch addresses the following concerns. Ensure that there is enough space for at least one header so that we don't have a negative size later. if (msg_hdr_len d

CVE-2025-39917 [HIGH] CWE-787 CVE-2025-39917: In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds dynptr w In the Linux kernel, the following vulnerability has been resolved: bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt Stanislav reported that in bpf_crypto_crypt() the destination dynptr's size is not validated to be at least as large as the source dynptr's size before calling into the crypto backend with 'len = src_len'. This can result in an

CVE-2023-53486 [HIGH] CWE-125 CVE-2023-53486: In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Enhance the attribute In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Enhance the attribute size check This combines the overflow and boundary check so that all attribute size will be properly examined while enumerating them. [ 169.181521] BUG: KASAN: slab-out-of-bounds in run_unpack+0x2e3/0x570 [ 169.183161] Read of size 1 at addr ffff8880

CVE-2022-50433 [HIGH] CWE-416 CVE-2022-50433: In the Linux kernel, the following vulnerability has been resolved: efi: ssdt: Don't free memory if In the Linux kernel, the following vulnerability has been resolved: efi: ssdt: Don't free memory if ACPI table was loaded successfully Amadeusz reports KASAN use-after-free errors introduced by commit 3881ee0b1edc ("efi: avoid efivars layer when loading SSDTs from variables"). The problem appears to be that the memory that holds the new ACPI table i

CVE-2023-53465 [HIGH] CWE-125 CVE-2023-53465: In the Linux kernel, the following vulnerability has been resolved: soundwire: qcom: fix storing po In the Linux kernel, the following vulnerability has been resolved: soundwire: qcom: fix storing port config out-of-bounds The 'qcom_swrm_ctrl->pconfig' has size of QCOM_SDW_MAX_PORTS (14), however we index it starting from 1, not 0, to match real port numbers. This can lead to writing port config past 'pconfig' bounds and overwriting next member of

CVE-2023-53459 [HIGH] CWE-416 CVE-2023-53459: In the Linux kernel, the following vulnerability has been resolved: HID: mcp-2221: prevent UAF in d In the Linux kernel, the following vulnerability has been resolved: HID: mcp-2221: prevent UAF in delayed work If the device is plugged/unplugged without giving time for mcp_init_work() to complete, we might kick in the devm free code path and thus have unavailable struct mcp_2221 while in delayed work. Canceling the delayed_work item is enough to

CVE-2022-50421 [HIGH] CWE-416 CVE-2022-50421: In the Linux kernel, the following vulnerability has been resolved: rpmsg: char: Avoid double destr In the Linux kernel, the following vulnerability has been resolved: rpmsg: char: Avoid double destroy of default endpoint The rpmsg_dev_remove() in rpmsg_core is the place for releasing this default endpoint. So need to avoid destroying the default endpoint in rpmsg_chrdev_eptdev_destroy(), this should be the same as rpmsg_eptdev_release(). Otherwi

CVE-2023-53495 [HIGH] CWE-787 CVE-2023-53495: In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mvpp2_main: fix In the Linux kernel, the following vulnerability has been resolved: net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc() rules is allocated in ethtool_get_rxnfc and the size is determined by rule_cnt from user space. So rule_cnt needs to be check before using rules to avoid OOB writing or NULL pointer dereference.

CVE-2023-53494 [HIGH] CWE-416 CVE-2023-53494: In the Linux kernel, the following vulnerability has been resolved: crypto: xts - Handle EBUSY corr In the Linux kernel, the following vulnerability has been resolved: crypto: xts - Handle EBUSY correctly As it is xts only handles the special return value of EINPROGRESS, which means that in all other cases it will free data related to the request. However, as the caller of xts may specify MAY_BACKLOG, we also need to expect EBUSY and treat it in

CVE-2022-50454 [HIGH] CWE-416 CVE-2022-50454: In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix a use-after-fr In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table() nouveau_bo_init() is backed by ttm_bo_init() and ferries its return code back to the caller. On failures, ttm will call nouveau_bo_del_ttm() and free the memory.Thus, when nouveau_bo_init() returns an error, th

CVE-2022-50432 [HIGH] CWE-416 CVE-2022-50432: In the Linux kernel, the following vulnerability has been resolved: kernfs: fix use-after-free in _ In the Linux kernel, the following vulnerability has been resolved: kernfs: fix use-after-free in __kernfs_remove Syzkaller managed to trigger concurrent calls to kernfs_remove_by_name_ns() for the same file resulting in a KASAN detected use-after-free. The race occurs when the root node is freed during kernfs_drain(). To prevent this acquire an ad

CVE-2023-53492 [HIGH] CVE-2023-53492: In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not ig In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not ignore genmask when looking up chain by id When adding a rule to a chain referring to its ID, if that chain had been deleted on the same batch, the rule might end up referring to a deleted chain. This will lead to a WARNING like following: [ 33.098431] -------