Linux Kernel vulnerabilities

CVE-2024-58241 [MEDIUM] CVE-2024-58241: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Disable wo In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_core: Disable works on hci_unregister_dev This make use of disable_work_* on hci_unregister_dev since the hci_dev is about to be freed new submissions are not disarable.

CVE-2025-39890 [MEDIUM] CWE-401 CVE-2025-39890: In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix memory leak i In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix memory leak in ath12k_service_ready_ext_event Currently, in ath12k_service_ready_ext_event(), svc_rdy_ext.mac_phy_caps is not freed in the failure case, causing a memory leak. The following trace is observed in kmemleak: unreferenced object 0xffff8b3eb5789c00 (s

CVE-2025-39882 [HIGH] CWE-416 CVE-2025-39882: In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: fix potential OF In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: fix potential OF node use-after-free The for_each_child_of_node() helper drops the reference it takes to each node as it iterates over children and an explicit of_node_put() is only needed when exiting the loop early. Drop the recently introduced bogus additional refer

CVE-2025-39870 [HIGH] CWE-415 CVE-2025-39870: In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix double fre In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix double free in idxd_setup_wqs() The clean up in idxd_setup_wqs() has had a couple bugs because the error handling is a bit subtle. It's simpler to just re-write it in a cleaner way. The issues here are: 1) If "idxd->max_wqs" is <= 0 then we call put_device(conf

CVE-2025-39888 [HIGH] CWE-787 CVE-2025-39888: In the Linux kernel, the following vulnerability has been resolved: fuse: Block access to folio ove In the Linux kernel, the following vulnerability has been resolved: fuse: Block access to folio overlimit syz reported a slab-out-of-bounds Write in fuse_dev_do_write. When the number of bytes to be retrieved is truncated to the upper limit by fc->max_pages and there is an offset, the oob is triggered. Add a loop termination condition to prevent o

CVE-2025-39869 [HIGH] CWE-125 CVE-2025-39869: In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: edma: Fix memory In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: edma: Fix memory allocation size for queue_priority_map Fix a critical memory allocation bug in edma_setup_from_hw() where queue_priority_map was allocated with insufficient memory. The code declared queue_priority_map as s8 (*)[2] (pointer to array of 2 s8), but allo

CVE-2025-39873 [HIGH] CWE-416 CVE-2025-39873: In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_fra In the Linux kernel, the following vulnerability has been resolved: can: xilinx_can: xcan_write_frame(): fix use-after-free of transmitted SKB can_put_echo_skb() takes ownership of the SKB and it may be freed during or after the call. However, xilinx_can xcan_write_frame() keeps using SKB after the call. Fix that by only calling can_put_echo_skb()

CVE-2025-39880 [HIGH] CWE-704 CVE-2025-39880: In the Linux kernel, the following vulnerability has been resolved: libceph: fix invalid accesses t In the Linux kernel, the following vulnerability has been resolved: libceph: fix invalid accesses to ceph_connection_v1_info There is a place where generic code in messenger.c is reading and another place where it is writing to con->v1 union member without checking that the union member is active (i.e. msgr1 is in use). On 64-bit systems, con->v1.a

CVE-2025-39868 [HIGH] CVE-2025-39868: In the Linux kernel, the following vulnerability has been resolved: erofs: fix runtime warning on t In the Linux kernel, the following vulnerability has been resolved: erofs: fix runtime warning on truncate_folio_batch_exceptionals() Commit 0e2f80afcfa6("fs/dax: ensure all pages are idle prior to filesystem unmount") introduced the WARN_ON_ONCE to capture whether the filesystem has removed all DAX entries or not and applied the fix to xfs and ext4. Apply

CVE-2025-39871 [HIGH] CWE-416 CVE-2025-39871: In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Remove imprope In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Remove improper idxd_free The call to idxd_free() introduces a duplicate put_device() leading to a reference count underflow: refcount_t: underflow; use-after-free. WARNING: CPU: 15 PID: 4428 at lib/refcount.c:28 refcount_warn_saturate+0xbe/0x110 ... Call Trace: id

CVE-2025-39883 [HIGH] CWE-125 CVE-2025-39883: In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_O In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix VM_BUG_ON_PAGE(PagePoisoned(page)) when unpoison memory When I did memory failure tests, below panic occurs: page dumped because: VM_BUG_ON_PAGE(PagePoisoned(page)) kernel BUG at include/linux/page-flags.h:616! Oops: invalid opcode: 0000 [#1] PREEMPT SMP NOPT

CVE-2025-39877 [HIGH] CWE-416 CVE-2025-39877: In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: fix use-after-f In the Linux kernel, the following vulnerability has been resolved: mm/damon/sysfs: fix use-after-free in state_show() state_show() reads kdamond->damon_ctx without holding damon_sysfs_lock. This allows a use-after-free race: CPU 0 CPU 1 ----- ----- state_show() damon_sysfs_turn_damon_on() ctx = kdamond->damon_ctx; mutex_lock(&damon_sysfs_lock); da

CVE-2025-39881 [HIGH] CWE-416 CVE-2025-39881: In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when In the Linux kernel, the following vulnerability has been resolved: kernfs: Fix UAF in polling when open file is released A use-after-free (UAF) vulnerability was identified in the PSI (Pressure Stall Information) monitoring mechanism: BUG: KASAN: slab-use-after-free in psi_trigger_poll+0x3c/0x140 Read of size 8 at addr ffff3de3d50bd308 by task sys

CVE-2025-39887 [MEDIUM] CWE-476 CVE-2025-39887: In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix null-ptr-d In the Linux kernel, the following vulnerability has been resolved: tracing/osnoise: Fix null-ptr-deref in bitmap_parselist() A crash was observed with the following output: BUG: kernel NULL pointer dereference, address: 0000000000000010 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 2 UID: 0 PID: 92 Comm: osnoise_cpus Not tainted 6.17.0-rc4-00201-gd69eb20

CVE-2025-39884 [MEDIUM] CWE-667 CVE-2025-39884: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix subvolume deletion l In the Linux kernel, the following vulnerability has been resolved: btrfs: fix subvolume deletion lockup caused by inodes xarray race There is a race condition between inode eviction and inode caching that can cause a live struct btrfs_inode to be missing from the root->inodes xarray. Specifically, there is a window during evict() between the inod

CVE-2025-39876 [MEDIUM] CWE-476 CVE-2025-39876: In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in f In the Linux kernel, the following vulnerability has been resolved: net: fec: Fix possible NPD in fec_enet_phy_reset_after_clk_enable() The function of_phy_find_device may return NULL, so we need to take care before dereferencing phy_dev.

CVE-2025-39886 [MEDIUM] CVE-2025-39886: In the Linux kernel, the following vulnerability has been resolved: bpf: Tell memcg to use allow_sp In the Linux kernel, the following vulnerability has been resolved: bpf: Tell memcg to use allow_spinning=false path in bpf_timer_init() Currently, calling bpf_map_kmalloc_node() from __bpf_async_init() can cause various locking issues; see the following stack trace (edited for style) as one example: ... [10.011566] do_raw_spin_lock.cold [10.011570] try_

CVE-2025-39878 [MEDIUM] CWE-476 CVE-2025-39878: In the Linux kernel, the following vulnerability has been resolved: ceph: fix crash after fscrypt_e In the Linux kernel, the following vulnerability has been resolved: ceph: fix crash after fscrypt_encrypt_pagecache_blocks() error The function move_dirty_folio_in_page_array() was created by commit ce80b76dd327 ("ceph: introduce ceph_process_folio_batch() method") by moving code from ceph_writepages_start() to this function. This new function is

CVE-2025-39874 [MEDIUM] CVE-2025-39874: In the Linux kernel, the following vulnerability has been resolved: macsec: sync features on RTM_NE In the Linux kernel, the following vulnerability has been resolved: macsec: sync features on RTM_NEWLINK Syzkaller managed to lock the lower device via ETHTOOL_SFEATURES: netdev_lock include/linux/netdevice.h:2761 [inline] netdev_lock_ops include/net/netdev_lock.h:42 [inline] netdev_sync_lower_features net/core/dev.c:10649 [inline] __netdev_update_featur

CVE-2025-39879 [MEDIUM] CWE-476 CVE-2025-39879: In the Linux kernel, the following vulnerability has been resolved: ceph: always call ceph_shift_un In the Linux kernel, the following vulnerability has been resolved: ceph: always call ceph_shift_unused_folios_left() The function ceph_process_folio_batch() sets folio_batch entries to NULL, which is an illegal state. Before folio_batch_release() crashes due to this API violation, the function ceph_shift_unused_folios_left() is supposed to remove