Linux Kernel vulnerabilities

CVE-2025-39875 [MEDIUM] CWE-476 CVE-2025-39875: In the Linux kernel, the following vulnerability has been resolved: igb: Fix NULL pointer dereferen In the Linux kernel, the following vulnerability has been resolved: igb: Fix NULL pointer dereference in ethtool loopback test The igb driver currently causes a NULL pointer dereference when executing the ethtool loopback test. This occurs because there is no associated q_vector for the test ring when it is set up, as interrupts are typically not

CVE-2025-39872 [MEDIUM] CVE-2025-39872: In the Linux kernel, the following vulnerability has been resolved: hsr: hold rcu and dev lock for In the Linux kernel, the following vulnerability has been resolved: hsr: hold rcu and dev lock for hsr_get_port_ndev hsr_get_port_ndev calls hsr_for_each_port, which need to hold rcu lock. On the other hand, before return the port device, we need to hold the device reference to avoid UaF in the caller function.

CVE-2025-39885 [MEDIUM] CWE-667 CVE-2025-39885: In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix recursive semaphore In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix recursive semaphore deadlock in fiemap call syzbot detected a OCFS2 hang due to a recursive semaphore on a FS_IOC_FIEMAP of the extent list on a specially crafted mmap file. context_switch kernel/sched/core.c:5357 [inline] __schedule+0x1798/0x4cc0 kernel/sched/core.c:69

CVE-2025-39867 CVE-2025-39867: In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix null deref for empty set Blamed commit broke the ch In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: fix null deref for empty set Blamed commit broke the check for a null scratch map: - if (unlikely(!m || !*raw_cpu_ptr(m->scratch))) + if (unlikely(!raw_cpu_ptr(m->scratch))) This should have been "if (!*raw_ ...)". Use the

CVE-2025-39864 [HIGH] CWE-416 CVE-2025-39864: In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-f In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix use-after-free in cmp_bss() Following bss_free() quirk introduced in commit 776b3580178f ("cfg80211: track hidden SSID networks properly"), adjust cfg80211_update_known_bss() to free the last beacon frame elements only if they're not shared via the corresponding

CVE-2025-39837 [HIGH] CWE-787 CVE-2025-39837: In the Linux kernel, the following vulnerability has been resolved: platform/x86: asus-wmi: Fix rac In the Linux kernel, the following vulnerability has been resolved: platform/x86: asus-wmi: Fix racy registrations asus_wmi_register_driver() may be called from multiple drivers concurrently, which can lead to the racy list operations, eventually corrupting the memory and hitting Oops on some ASUS machines. Also, the error handling is missing, and i

CVE-2025-39849 [HIGH] CWE-787 CVE-2025-39849: In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID l In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: sme: cap SSID length in __cfg80211_connect_result() If the ssid->datalen is more than IEEE80211_MAX_SSID_LEN (32) it would lead to memory corruption so add some bounds checking.

CVE-2025-39853 [HIGH] CWE-125 CVE-2025-39853: In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid acc In the Linux kernel, the following vulnerability has been resolved: i40e: Fix potential invalid access when MAC list is empty list_first_entry() never returns NULL - if the list is empty, it still returns a pointer to an invalid object, leading to potential invalid memory access when dereferenced. Fix this by using list_first_entry_or_null instead

CVE-2025-39863 [HIGH] CWE-416 CVE-2025-39863: In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-f In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free when rescheduling brcmf_btcoex_info work The brcmf_btcoex_detach() only shuts down the btcoex timer, if the flag timer_on is false. However, the brcmf_btcoex_timerfunc(), which runs as timer handler, sets timer_on to false. This creates critical ra

CVE-2025-39854 [HIGH] CWE-416 CVE-2025-39854: In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL access of tx->in_ In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL access of tx->in_use in ice_ll_ts_intr Recent versions of the E810 firmware have support for an extra interrupt to handle report of the "low latency" Tx timestamps coming from the specialized low latency firmware interface. Instead of polling the registers, software ca

CVE-2025-39860 [HIGH] CWE-416 CVE-2025-39860: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free i In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() syzbot reported the splat below without a repro. In the splat, a single thread calling bt_accept_dequeue() freed sk and touched it after that. The root cause would be the racy l2cap_sock_cleanup_listen() call added by th

CVE-2025-39840 [HIGH] CWE-125 CVE-2025-39840: In the Linux kernel, the following vulnerability has been resolved: audit: fix out-of-bounds read i In the Linux kernel, the following vulnerability has been resolved: audit: fix out-of-bounds read in audit_compare_dname_path() When a watch on dir=/ is combined with an fsnotify event for a single-character name directly under / (e.g., creating /a), an out-of-bounds read can occur in audit_compare_dname_path(). The helper parent_len() returns 1 fo

CVE-2025-39855 [HIGH] CWE-416 CVE-2025-39855: In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL access of tx->in_ In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL access of tx->in_use in ice_ptp_ts_irq The E810 device has support for a "low latency" firmware interface to access and read the Tx timestamps. This interface does not use the standard Tx timestamp logic, due to the latency overhead of proxying sideband command request

CVE-2025-39839 [HIGH] CWE-125 CVE-2025-39839: In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write In the Linux kernel, the following vulnerability has been resolved: batman-adv: fix OOB read/write in network-coding decode batadv_nc_skb_decode_packet() trusts coded_len and checks only against skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing payload headroom, and the source skb length is not verified, allowing an out-of-bounds

CVE-2025-39841 [HIGH] CWE-787 CVE-2025-39841: In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/cle In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix buffer free/clear order in deferred receive path Fix a use-after-free window by correcting the buffer release sequence in the deferred receive path. The code freed the RQ buffer first and only then cleared the context pointer under the lock. Concurrent paths (e.g., A

CVE-2025-39866 [HIGH] CWE-416 CVE-2025-39866: In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-fr In the Linux kernel, the following vulnerability has been resolved: fs: writeback: fix use-after-free in __mark_inode_dirty() An use-after-free issue occurred when __mark_inode_dirty() get the bdi_writeback that was in the progress of switching. CPU: 1 PID: 562 Comm: systemd-random- Not tainted 6.6.56-gb4403bd46a8e #1 ...... pstate: 60400005 (nZCv

CVE-2025-39862 [HIGH] CWE-787 CVE-2025-39862: In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix list co In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix list corruption after hardware restart Since stations are recreated from scratch, all lists that wcids are added to must be cleared before calling ieee80211_restart_hw. Set wcid->sta = 0 for each wcid entry in order to ensure that they are not added again bef

CVE-2025-39861 [HIGH] CWE-416 CVE-2025-39861: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: vhci: Prevent use-af In the Linux kernel, the following vulnerability has been resolved: Bluetooth: vhci: Prevent use-after-free by removing debugfs files early Move the creation of debugfs files into a dedicated function, and ensure they are explicitly removed during vhci_release(), before associated data structures are freed. Previously, debugfs files such as "force_

CVE-2025-39859 [HIGH] CWE-416 CVE-2025-39859: In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: fix use-after-free bu In the Linux kernel, the following vulnerability has been resolved: ptp: ocp: fix use-after-free bugs causing by ptp_ocp_watchdog The ptp_ocp_detach() only shuts down the watchdog timer if it is pending. However, if the timer handler is already running, the timer_delete_sync() is not called. This leads to race conditions where the devlink that conta

CVE-2025-39842 [MEDIUM] CVE-2025-39842: In the Linux kernel, the following vulnerability has been resolved: ocfs2: prevent release journal In the Linux kernel, the following vulnerability has been resolved: ocfs2: prevent release journal inode after journal shutdown Before calling ocfs2_delete_osb(), ocfs2_journal_shutdown() has already been executed in ocfs2_dismount_volume(), so osb->journal must be NULL. Therefore, the following calltrace will inevitably fail when it reaches jbd2_journal_r