Linux Kernel vulnerabilities

CVE-2025-39865 [MEDIUM] CWE-476 CVE-2025-39865: In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereferen In the Linux kernel, the following vulnerability has been resolved: tee: fix NULL pointer dereference in tee_shm_put tee_shm_put have NULL pointer dereference: __optee_disable_shm_cache --> shm = reg_pair_to_ptr(...);//shm maybe return NULL tee_shm_free(shm); --> tee_shm_put(shm);//crash Add check in tee_shm_put to fix it. panic log: Unable to

CVE-2025-39858 [MEDIUM] CWE-476 CVE-2025-39858: In the Linux kernel, the following vulnerability has been resolved: eth: mlx4: Fix IS_ERR() vs NULL In the Linux kernel, the following vulnerability has been resolved: eth: mlx4: Fix IS_ERR() vs NULL check bug in mlx4_en_create_rx_ring Replace NULL check with IS_ERR() check after calling page_pool_create() since this function returns error pointers (ERR_PTR). Using NULL check could lead to invalid pointer dereference.

CVE-2025-39852 [MEDIUM] CWE-401 CVE-2025-39852: In the Linux kernel, the following vulnerability has been resolved: net/tcp: Fix socket memory leak In the Linux kernel, the following vulnerability has been resolved: net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6 When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just exits the function. This ends up causing a memory-leak: unreferenced object 0xffff0000281a8200 (size 2496): comm "softirq", pid 0, jiffies 4

CVE-2025-39843 [MEDIUM] CWE-667 CVE-2025-39843: In the Linux kernel, the following vulnerability has been resolved: mm: slub: avoid wake up kswapd In the Linux kernel, the following vulnerability has been resolved: mm: slub: avoid wake up kswapd in set_track_prepare set_track_prepare() can incur lock recursion. The issue is that it is called from hrtimer_start_range_ns holding the per_cpu(hrtimer_bases)[n].lock, but when enabled CONFIG_DEBUG_OBJECTS_TIMERS, may wake up kswapd in set_track_pre

CVE-2025-39851 [MEDIUM] CWE-476 CVE-2025-39851: In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD when refreshing In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD when refreshing an FDB entry with a nexthop object VXLAN FDB entries can point to either a remote destination or an FDB nexthop group. The latter is usually used in EVPN deployments where learning is disabled. However, when learning is enabled, an incoming packet mi

CVE-2025-39850 [MEDIUM] CWE-476 CVE-2025-39850: In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD in {arp,neigh}_r In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix NPD in {arp,neigh}_reduce() when using nexthop objects When the "proxy" option is enabled on a VXLAN device, the device will suppress ARP requests and IPv6 Neighbor Solicitation messages if it is able to reply on behalf of the remote host. That is, if a matching and val

CVE-2025-39845 [MEDIUM] CWE-401 CVE-2025-39845: In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TAB In the Linux kernel, the following vulnerability has been resolved: x86/mm/64: define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() Define ARCH_PAGE_TABLE_SYNC_MASK and arch_sync_kernel_mappings() to ensure page tables are properly synchronized when calling p*d_populate_kernel(). For 5-level paging, synchronization is performed via pg

CVE-2025-39857 [MEDIUM] CWE-476 CVE-2025-39857: In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer d In the Linux kernel, the following vulnerability has been resolved: net/smc: fix one NULL pointer dereference in smc_ib_is_sg_need_sync() BUG: kernel NULL pointer dereference, address: 00000000000002ec PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 28 UID: 0 PID: 343 Comm: kworker/28:1 Kdump: loaded Tainted: G OE 6.17.0-rc2+ #9 NONE Tainted: [O]=O

CVE-2025-39856 [MEDIUM] CWE-476 CVE-2025-39856: In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw-nu In the Linux kernel, the following vulnerability has been resolved: net: ethernet: ti: am65-cpsw-nuss: Fix null pointer dereference for ndev In the TX completion packet stage of TI SoCs with CPSW2G instance, which has single external ethernet port, ndev is accessed without being initialized if no TX packets have been processed. It results into nul

CVE-2025-39848 [MEDIUM] CWE-401 CVE-2025-39848: In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in In the Linux kernel, the following vulnerability has been resolved: ax25: properly unshare skbs in ax25_kiss_rcv() Bernard Pidoux reported a regression apparently caused by commit c353e8983e0d ("net: introduce per netns packet chains"). skb->dev becomes NULL and we crash in __netif_receive_skb_core(). Before above commit, different kind of bugs o

CVE-2025-39847 [MEDIUM] CWE-401 CVE-2025-39847: In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_com In the Linux kernel, the following vulnerability has been resolved: ppp: fix memory leak in pad_compress_skb If alloc_skb() fails in pad_compress_skb(), it returns NULL without releasing the old skb. The caller does: skb = pad_compress_skb(ppp, skb); if (!skb) goto drop; drop: kfree_skb(skb); When pad_compress_skb() returns NULL, the reference

CVE-2025-39846 [MEDIUM] CWE-476 CVE-2025-39846: In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dere In the Linux kernel, the following vulnerability has been resolved: pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() In __iodyn_find_io_region(), pcmcia_make_resource() is assigned to res and used in pci_bus_alloc_resource(). There is a dereference of res in pci_bus_alloc_resource(), which could lead to a NULL pointer dereference

CVE-2025-39838 [MEDIUM] CWE-476 CVE-2025-39838: In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL pointer dere In the Linux kernel, the following vulnerability has been resolved: cifs: prevent NULL pointer dereference in UTF16 conversion There can be a NULL pointer dereference bug here. NULL is passed to __cifs_sfu_make_node without checks, which passes it unchecked to cifs_strndup_to_utf16, which in turn passes it to cifs_local_to_utf16_bytes where '*from

CVE-2022-50410 [HIGH] CWE-787 CVE-2022-50410: In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buff In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buffer overflow in NFSv2 READ Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there are no cases where an operation nee

CVE-2022-50406 [HIGH] CWE-787 CVE-2022-50406: In the Linux kernel, the following vulnerability has been resolved: iomap: iomap: fix memory corrup In the Linux kernel, the following vulnerability has been resolved: iomap: iomap: fix memory corruption when recording errors during writeback Every now and then I see this crash on arm64: Unable to handle kernel NULL pointer dereference at virtual address 00000000000000f8 Buffer I/O error on dev dm-0, logical block 8733687, async page read Mem abo

CVE-2023-53386 [HIGH] CWE-416 CVE-2023-53386: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix potential use-af In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix potential use-after-free when clear keys Similar to commit c5d2b6fa26b5 ("Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk"). We can not access k after kfree_rcu() call.

CVE-2022-50386 [HIGH] CWE-416 CVE-2022-50386: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix user-afte In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix user-after-free This uses l2cap_chan_hold_unless_zero() after calling __l2cap_get_chan_blah() to prevent the following trace: Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref *kref) Bluetooth: chan 0000000023c4974d Bluetooth: parent 00000000a

CVE-2023-53373 [HIGH] CWE-416 CVE-2023-53373: In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Handle EBUSY co In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Handle EBUSY correctly As it is seqiv only handles the special return value of EINPROGERSS, which means that in all other cases it will free data related to the request. However, as the caller of seqiv may specify MAY_BACKLOG, we also need to expect EBUSY and treat

CVE-2023-53388 [HIGH] CWE-416 CVE-2023-53388: In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Clean dangling po In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Clean dangling pointer on bind error path mtk_drm_bind() can fail, in which case drm_dev_put() is called, destroying the drm_device object. However a pointer to it was still being held in the private object, and that pointer would be passed along to DRM in mtk_drm_sys_

CVE-2022-50412 [HIGH] CVE-2022-50412: In the Linux kernel, the following vulnerability has been resolved: drm: bridge: adv7511: unregiste In the Linux kernel, the following vulnerability has been resolved: drm: bridge: adv7511: unregister cec i2c device after cec adapter cec_unregister_adapter() assumes that the underlying adapter ops are callable. For example, if the CEC adapter currently has a valid physical address, then the unregistration procedure will invalidate the physical address by