Linux Kernel vulnerabilities

CVE-2023-53301 [HIGH] CVE-2023-53301: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix kernel crash due to n In the Linux kernel, the following vulnerability has been resolved: f2fs: fix kernel crash due to null io->bio We should return when io->bio is null before doing anything. Otherwise, panic. BUG: kernel NULL pointer dereference, address: 0000000000000010 RIP: 0010:__submit_merged_write_cond+0x164/0x240 [f2fs] Call Trace: f2fs_submit_merged_write+0x1d/0x30

CVE-2023-53272 [HIGH] CWE-125 CVE-2023-53272: In the Linux kernel, the following vulnerability has been resolved: net: ena: fix shift-out-of-boun In the Linux kernel, the following vulnerability has been resolved: net: ena: fix shift-out-of-bounds in exponential backoff The ENA adapters on our instances occasionally reset. Once recently logged a UBSAN failure to console in the process: UBSAN: shift-out-of-bounds in build/linux/drivers/net/ethernet/amazon/ena/ena_com.c:540:13 shift exponent 3

CVE-2023-53308 [HIGH] CWE-415 CVE-2023-53308: In the Linux kernel, the following vulnerability has been resolved: net: fec: Better handle pm_runt In the Linux kernel, the following vulnerability has been resolved: net: fec: Better handle pm_runtime_get() failing in .remove() In the (unlikely) event that pm_runtime_get() (disguised as pm_runtime_resume_and_get()) fails, the remove callback returned an error early. The problem with this is that the driver core ignores the error value and contin

CVE-2023-53321 [HIGH] CVE-2023-53321: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: drop shor In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: drop short frames While technically some control frames like ACK are shorter and end after Address 1, such frames shouldn't be forwarded through wmediumd or similar userspace, so require the full 3-address header to avoid accessing invalid memory if shorter frames are

CVE-2022-50339 [HIGH] CWE-362 CVE-2022-50339: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid hci_dev_test_a In the Linux kernel, the following vulnerability has been resolved: Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev() syzbot is again reporting attempt to cancel uninitialized work at mgmt_index_removed() [1], for setting of HCI_MGMT flag from mgmt_init_hdev() from hci_mgmt_cmd() from hci_sock_sendmsg() can race with testing of HCI_MG

CVE-2025-39821 [HIGH] CWE-787 CVE-2025-39821: In the Linux kernel, the following vulnerability has been resolved: perf: Avoid undefined behavior In the Linux kernel, the following vulnerability has been resolved: perf: Avoid undefined behavior from stopping/starting inactive events Calling pmu->start()/stop() on perf events in PERF_EVENT_STATE_OFF can leave event->hw.idx at -1. When PMU drivers later attempt to use this negative index as a shift exponent in bitwise operations, it leads to UBS

CVE-2023-53265 [HIGH] CWE-125 CVE-2023-53265: In the Linux kernel, the following vulnerability has been resolved: ubi: ensure that VID header off In the Linux kernel, the following vulnerability has been resolved: ubi: ensure that VID header offset + VID header size __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x85/0xad lib/dump_stack.c:106 print_address_description mm/kasan/report.c:317 [inline] print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433 kasan_report+0xa7/0x11b mm/kasan

CVE-2025-39835 [HIGH] CVE-2025-39835: In the Linux kernel, the following vulnerability has been resolved: xfs: do not propagate ENODATA d In the Linux kernel, the following vulnerability has been resolved: xfs: do not propagate ENODATA disk errors into xattr code ENODATA (aka ENOATTR) has a very specific meaning in the xfs xattr code; namely, that the requested attribute name could not be found. However, a medium error from disk may also return ENODATA. At best, this medium error may escape

CVE-2025-39810 [HIGH] CWE-787 CVE-2025-39810: In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix memory corruption In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix memory corruption when FW resources change during ifdown bnxt_set_dflt_rings() assumes that it is always called before any TC has been created. So it doesn't take bp->num_tc into account and assumes that it is always 0 or 1. In the FW resource or capability change scena

CVE-2023-53286 [HIGH] CVE-2023-53286: In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Return the firmware In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Return the firmware result upon destroying QP/RQ Previously when destroying a QP/RQ, the result of the firmware destruction function was ignored and upper layers weren't informed about the failure. Which in turn could lead to various problems since when upper layer isn't aware of

CVE-2023-53311 [HIGH] CWE-416 CVE-2023-53311: In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free of n In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput During unmount process of nilfs2, nothing holds nilfs_root structure after nilfs2 detaches its writer in nilfs_detach_log_writer(). Previously, nilfs_evict_inode() could cause use-after-free read for nilfs_root if

CVE-2025-39809 [HIGH] CWE-787 CVE-2025-39809: In the Linux kernel, the following vulnerability has been resolved: HID: intel-thc-hid: intel-quick In the Linux kernel, the following vulnerability has been resolved: HID: intel-thc-hid: intel-quicki2c: Fix ACPI dsd ICRS/ISUB length The QuickI2C ACPI _DSD methods return ICRS and ISUB data with a trailing byte, making the actual length is one more byte than the structs defined. It caused stack-out-of-bounds and kernel crash: kernel: BUG: KASAN:

CVE-2025-39828 [HIGH] CVE-2025-39828: In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Prevent arbitrary In the Linux kernel, the following vulnerability has been resolved: atm: atmtcp: Prevent arbitrary write in atmtcp_recv_control(). syzbot reported the splat below. [0] When atmtcp_v_open() or atmtcp_v_close() is called via connect() or close(), atmtcp_send_control() is called to send an in-kernel special message. The message has ATMTCP_HDR_MAGIC in atmtcp_

CVE-2023-53305 [HIGH] CWE-416 CVE-2023-53305: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free Fix potential use-after-free in l2cap_le_command_rej.

CVE-2025-39806 [HIGH] CWE-125 CVE-2025-39806: In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-o In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: fix slab out-of-bounds access in mt_report_fixup() A malicious HID device can trigger a slab out-of-bounds during mt_report_fixup() by passing in report descriptor smaller than 607 bytes. mt_report_fixup() attempts to patch byte offset 607 of the descriptor with 0x2

CVE-2023-53331 [HIGH] CWE-787 CVE-2023-53331: In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Check start of empt In the Linux kernel, the following vulnerability has been resolved: pstore/ram: Check start of empty przs during init After commit 30696378f68a ("pstore/ram: Do not treat empty buffers as valid"), initialization would assume a prz was valid after seeing that the buffer_size is zero (regardless of the buffer start position). This unchecked start valu

CVE-2025-39818 [HIGH] CWE-787 CVE-2025-39818: In the Linux kernel, the following vulnerability has been resolved: HID: intel-thc-hid: intel-thc: In the Linux kernel, the following vulnerability has been resolved: HID: intel-thc-hid: intel-thc: Fix incorrect pointer arithmetic in I2C regs save Improper use of secondary pointer (&dev->i2c_subip_regs) caused kernel crash and out-of-bounds error: BUG: KASAN: slab-out-of-bounds in _regmap_bulk_read+0x449/0x510 Write of size 4 at addr ffff88813600

CVE-2025-39817 [HIGH] CWE-125 CVE-2025-39817: In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bound In the Linux kernel, the following vulnerability has been resolved: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare Observed on kernel 6.6 (present on master as well): BUG: KASAN: slab-out-of-bounds in memcmp+0x98/0xd0 Call trace: kasan_check_range+0xe8/0x190 __asan_loadN+0x1c/0x28 memcmp+0x98/0xd0 efivarfs_d_compare+0x68/0xd8 __d_lookup_rcu

CVE-2023-53307 [HIGH] CWE-416 CVE-2023-53307: In the Linux kernel, the following vulnerability has been resolved: rbd: avoid use-after-free in do In the Linux kernel, the following vulnerability has been resolved: rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails If getting an ID or setting up a work queue in rbd_dev_create() fails, use-after-free on rbd_dev->rbd_client, rbd_dev->spec and rbd_dev->opts is triggered in do_rbd_add(). The root cause is that the ownership of t

CVE-2023-53263 [HIGH] CWE-416 CVE-2023-53263: In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/disp: fix use-after In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/disp: fix use-after-free in error handling of nouveau_connector_create We can't simply free the connector after calling drm_connector_init on it. We need to clean up the drm side first. It might not fix all regressions from commit 2b5d1c29f6c4 ("drm/nouveau/disp: PIOR D