Linux Kernel vulnerabilities

CVE-2025-39823 [HIGH] CWE-129 CVE-2025-39823: In the Linux kernel, the following vulnerability has been resolved: KVM: x86: use array_index_nospe In the Linux kernel, the following vulnerability has been resolved: KVM: x86: use array_index_nospec with indices that come from guest min and dest_id are guest-controlled indices. Using array_index_nospec() after the bounds checks clamps these values to mitigate speculative execution side-channels.

CVE-2025-39826 [HIGH] CWE-416 CVE-2025-39826: In the Linux kernel, the following vulnerability has been resolved: net: rose: convert 'use' field In the Linux kernel, the following vulnerability has been resolved: net: rose: convert 'use' field to refcount_t The 'use' field in struct rose_neigh is used as a reference counter but lacks atomicity. This can lead to race conditions where a rose_neigh structure is freed while still being referenced by other code paths. For example, when rose_neigh

CVE-2023-53285 [HIGH] CVE-2023-53285: In the Linux kernel, the following vulnerability has been resolved: ext4: add bounds checking in ge In the Linux kernel, the following vulnerability has been resolved: ext4: add bounds checking in get_max_inline_xattr_value_size() Normally the extended attributes in the inode body would have been checked when the inode is first opened, but if someone is writing to the block device while the file system is mounted, it's possible for the inode table to get

CVE-2023-53320 [HIGH] CWE-787 CVE-2023-53320: In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix issues in mpi In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Fix issues in mpi3mr_get_all_tgt_info() The function mpi3mr_get_all_tgt_info() has four issues: 1) It calculates valid entry length in alltgt_info assuming the header part of the struct mpi3mr_device_map_info would equal to sizeof(u32). The correct size is sizeof(u64)

CVE-2025-39836 [HIGH] CWE-787 CVE-2025-39836: In the Linux kernel, the following vulnerability has been resolved: efi: stmm: Fix incorrect buffer In the Linux kernel, the following vulnerability has been resolved: efi: stmm: Fix incorrect buffer allocation method The communication buffer allocated by setup_mm_hdr() is later on passed to tee_shm_register_kernel_buf(). The latter expects those buffers to be contiguous pages, but setup_mm_hdr() just uses kmalloc(). That can cause various corrupt

CVE-2023-53269 [MEDIUM] CVE-2023-53269: In the Linux kernel, the following vulnerability has been resolved: block: ublk: make sure that blo In the Linux kernel, the following vulnerability has been resolved: block: ublk: make sure that block size is set correctly block size is one very key setting for block layer, and bad block size could panic kernel easily. Make sure that block size is set correctly. Meantime if ublk_validate_params() fails, clear ub->params so that disk is prevented from

CVE-2023-53267 [MEDIUM] CWE-401 CVE-2023-53267: In the Linux kernel, the following vulnerability has been resolved: driver: soc: xilinx: fix memory In the Linux kernel, the following vulnerability has been resolved: driver: soc: xilinx: fix memory leak in xlnx_add_cb_for_notify_event() The kfree() should be called when memory fails to be allocated for cb_data in xlnx_add_cb_for_notify_event(), otherwise there will be a memory leak, so add kfree() to fix it.

CVE-2022-50340 [MEDIUM] CWE-617 CVE-2022-50340: In the Linux kernel, the following vulnerability has been resolved: media: vimc: Fix wrong function In the Linux kernel, the following vulnerability has been resolved: media: vimc: Fix wrong function called when vimc_init() fails In vimc_init(), when platform_driver_register(&vimc_pdrv) fails, platform_driver_unregister(&vimc_pdrv) is wrongly called rather than platform_device_unregister(&vimc_pdev), which causes kernel warning: Unexpected driv

CVE-2023-53292 [MEDIUM] CWE-476 CVE-2023-53292: In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix NULL dereference on In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix NULL dereference on q->elevator in blk_mq_elv_switch_none After grabbing q->sysfs_lock, q->elevator may become NULL because of elevator switch. Fix the NULL dereference on q->elevator by checking it with lock.

CVE-2023-53296 [MEDIUM] CWE-476 CVE-2023-53296: In the Linux kernel, the following vulnerability has been resolved: sctp: check send stream number In the Linux kernel, the following vulnerability has been resolved: sctp: check send stream number after wait_for_sndbuf This patch fixes a corner case where the asoc out stream count may change after wait_for_sndbuf. When the main thread in the client starts a connection, if its out stream count is set to N while the in stream count in the server

CVE-2023-53328 [MEDIUM] CWE-476 CVE-2023-53328: In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Enhance sanity check In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Enhance sanity check while generating attr_list ni_create_attr_list uses WARN_ON to catch error cases while generating attribute list, which only prints out stack trace and may not be enough. This repalces them with more proper error handling flow. [ 59.666332] BUG: kern

CVE-2023-53318 [MEDIUM] CWE-401 CVE-2023-53318: In the Linux kernel, the following vulnerability has been resolved: recordmcount: Fix memory leaks In the Linux kernel, the following vulnerability has been resolved: recordmcount: Fix memory leaks in the uwrite function Common realloc mistake: 'file_append' nulled but not freed upon failure

CVE-2022-50349 [MEDIUM] CWE-401 CVE-2022-50349: In the Linux kernel, the following vulnerability has been resolved: misc: tifm: fix possible memory In the Linux kernel, the following vulnerability has been resolved: misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() If device_register() returns error in tifm_7xx1_switch_media(), name of kobject which is allocated in dev_set_name() called in device_add() is leaked. Never directly free @dev after calling device_register(), even i

CVE-2025-39832 [MEDIUM] CWE-667 CVE-2025-39832: In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix lockdep assertion In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix lockdep assertion on sync reset unload event Fix lockdep assertion triggered during sync reset unload event. When the sync reset flow is initiated using the devlink reload fw_activate option, the PF already holds the devlink lock while handling unload event. In this

CVE-2023-53300 [MEDIUM] CWE-401 CVE-2023-53300: In the Linux kernel, the following vulnerability has been resolved: media: hi846: Fix memleak in hi In the Linux kernel, the following vulnerability has been resolved: media: hi846: Fix memleak in hi846_init_controls() hi846_init_controls doesn't clean the allocated ctrl_hdlr in case there is a failure, which causes memleak. Add v4l2_ctrl_handler_free to free the resource properly.

CVE-2023-53276 [MEDIUM] CWE-401 CVE-2023-53276: In the Linux kernel, the following vulnerability has been resolved: ubifs: Free memory for tmpfile In the Linux kernel, the following vulnerability has been resolved: ubifs: Free memory for tmpfile name When opening a ubifs tmpfile on an encrypted directory, function fscrypt_setup_filename allocates memory for the name that is to be stored in the directory entry, but after the name has been copied to the directory entry inode, the memory is not

CVE-2023-53319 [MEDIUM] CVE-2023-53319: In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Handle kvm_arm_init In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Handle kvm_arm_init failure correctly in finalize_pkvm Currently there is no synchronisation between finalize_pkvm() and kvm_arm_init() initcalls. The finalize_pkvm() proceeds happily even if kvm_arm_init() fails resulting in the following warning on all the CPUs and eventuall

CVE-2023-53302 [MEDIUM] CWE-476 CVE-2023-53302: In the Linux kernel, the following vulnerability has been resolved: wifi: iwl4965: Add missing chec In the Linux kernel, the following vulnerability has been resolved: wifi: iwl4965: Add missing check for create_singlethread_workqueue() Add the check for the return value of the create_singlethread_workqueue() in order to avoid NULL pointer dereference.

CVE-2022-50352 [MEDIUM] CWE-401 CVE-2022-50352: In the Linux kernel, the following vulnerability has been resolved: net: hns: fix possible memory l In the Linux kernel, the following vulnerability has been resolved: net: hns: fix possible memory leak in hnae_ae_register() Inject fault while probing module, if device_register() fails, but the refcount of kobject is not decreased to 0, the name allocated in dev_set_name() is leaked. Fix this by calling put_device(), so that name can be freed in

CVE-2023-53291 [MEDIUM] CVE-2023-53291: In the Linux kernel, the following vulnerability has been resolved: rcu/rcuscale: Stop kfree_scale_ In the Linux kernel, the following vulnerability has been resolved: rcu/rcuscale: Stop kfree_scale_thread thread(s) after unloading rcuscale Running the 'kfree_rcu_test' test case [1] results in a splat [2]. The root cause is the kfree_scale_thread thread(s) continue running after unloading the rcuscale module. This commit fixes that isue by invoking kfre