Linux Kernel vulnerabilities

CVE-2025-39833 [MEDIUM] CWE-908 CVE-2025-39833: In the Linux kernel, the following vulnerability has been resolved: mISDN: hfcpci: Fix warning when In the Linux kernel, the following vulnerability has been resolved: mISDN: hfcpci: Fix warning when deleting uninitialized timer With CONFIG_DEBUG_OBJECTS_TIMERS unloading hfcpci module leads to the following splat: [ 250.215892] ODEBUG: assert_init not available (active state 0) object: ffffffffc01a3dc0 object type: timer_list hint: 0x0 [ 250.21

CVE-2023-53309 [MEDIUM] CWE-190 CVE-2023-53309: In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Fix integer overflo In the Linux kernel, the following vulnerability has been resolved: drm/radeon: Fix integer overflow in radeon_cs_parser_init The type of size is unsigned, if size is 0x40000000, there will be an integer overflow, size will be zero after size *= sizeof(uint32_t), will cause uninitialized memory to be referenced later

CVE-2022-50350 [MEDIUM] CWE-362 CVE-2022-50350: In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix a race In the Linux kernel, the following vulnerability has been resolved: scsi: target: iscsi: Fix a race condition between login_work and the login thread In case a malicious initiator sends some random data immediately after a login PDU; the iscsi_target_sk_data_ready() callback will schedule the login_work and, at the same time, the negotiation may e

CVE-2023-53325 [MEDIUM] CWE-476 CVE-2023-53325: In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dp: Change loggin In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dp: Change logging to dev for mtk_dp_aux_transfer() Change logging from drm_{err,info}() to dev_{err,info}() in functions mtk_dp_aux_transfer() and mtk_dp_aux_do_transfer(): this will be essential to avoid getting NULL pointer kernel panics if any kind of error happe

CVE-2023-53313 [MEDIUM] CVE-2023-53313: In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix wrong setting of In the Linux kernel, the following vulnerability has been resolved: md/raid10: fix wrong setting of max_corr_read_errors There is no input check when echo md/max_read_errors and overflow might occur. Add check of input number.

CVE-2023-53294 [MEDIUM] CWE-476 CVE-2023-53294: In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix null-ptr-deref on In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Fix null-ptr-deref on inode->i_op in ntfs_lookup() Syzbot reported a null-ptr-deref bug: ntfs3: loop0: Different NTFS' sector size (1024) and media sector size (512) ntfs3: loop0: Mark volume as dirty due to NTFS errors general protection fault, probably for non-canonic

CVE-2025-39831 [MEDIUM] CVE-2025-39831: In the Linux kernel, the following vulnerability has been resolved: fbnic: Move phylink resume out In the Linux kernel, the following vulnerability has been resolved: fbnic: Move phylink resume out of service_task and into open/close The fbnic driver was presenting with the following locking assert coming out of a PM resume: [ 42.208116][ T164] RTNL: assertion failed at drivers/net/phy/phylink.c (2611) [ 42.208492][ T164] WARNING: CPU: 1 PID: 164 at dri

CVE-2023-53324 [MEDIUM] CVE-2023-53324: In the Linux kernel, the following vulnerability has been resolved: drm/msm/mdp5: Don't leak some p In the Linux kernel, the following vulnerability has been resolved: drm/msm/mdp5: Don't leak some plane state Apparently no one noticed that mdp5 plane states leak like a sieve ever since we introduced plane_state->commit refcount a few years ago in 21a01abbe32a ("drm/atomic: Fix freeing connector/plane state too early by tracking commits, v3.") Fix it b

CVE-2025-39811 [MEDIUM] CWE-476 CVE-2025-39811: In the Linux kernel, the following vulnerability has been resolved: drm/xe/vm: Clear the scratch_pt In the Linux kernel, the following vulnerability has been resolved: drm/xe/vm: Clear the scratch_pt pointer on error Avoid triggering a dereference of an error pointer on cleanup in xe_vm_free_scratch() by clearing any scratch_pt error pointer. (cherry picked from commit 358ee50ab565f3c8ea32480e9d03127a81ba32f8)

CVE-2022-50345 CVE-2022-50345: In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buffer overflow in NFSv3 READ Since before the git era, In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buffer overflow in NFSv3 READ Since before the git era, NFSD has conserved the number of pages held by each nfsd thread by combining the RPC receive and send buffers into a single array of pages. This works because there ar

CVE-2023-53293 Bluetooth: btrtl: check for NULL in btrtl_set_quirks() Bluetooth: btrtl: check for NULL in btrtl_set_quirks() In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: check for NULL in btrtl_set_quirks() The btrtl_set_quirks() has accessed btrtl_dev->ic_info->lmp_subver since b8e482d02513. However, if installing a Realtek Bluetooth controller without the driver supported, it will hit the NULL point accessed. Add a check for NULL to avoid the Kernel

CVE-2023-53217 [HIGH] CVE-2023-53217: In the Linux kernel, the following vulnerability has been resolved: nubus: Partially revert proc_cr In the Linux kernel, the following vulnerability has been resolved: nubus: Partially revert proc_create_single_data() conversion The conversion to proc_create_single_data() introduced a regression whereby reading a file in /proc/bus/nubus results in a seg fault: # grep -r . /proc/bus/nubus/e/ Data read fault at 0x00000020 in Super Data (pc=0x1074c2) BAD KE

CVE-2022-50235 [HIGH] CWE-787 CVE-2022-50235: In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buff In the Linux kernel, the following vulnerability has been resolved: NFSD: Protect against send buffer overflow in NFSv2 READDIR Restore the previous limit on the @count argument to prevent a buffer overflow attack.

CVE-2022-50329 [HIGH] CWE-416 CVE-2022-50329: In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for bfqq in In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq Commit 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") will access 'bic->bfqq' in bic_set_bfqq(), however, bfq_exit_icq_bfqq() can free bfqq first, and then call bic_set_bfqq(), which will cause uaf. Fix the problem by

CVE-2022-50274 [HIGH] CWE-416 CVE-2022-50274: In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: adopts refcnt to In the Linux kernel, the following vulnerability has been resolved: media: dvbdev: adopts refcnt to avoid UAF dvb_unregister_device() is known that prone to use-after-free. That is, the cleanup from dvb_unregister_device() releases the dvb_device even if there are pointers stored in file->private_data still refer to it. This patch adds a reference

CVE-2023-53213 [HIGH] CWE-125 CVE-2023-53213: In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: slab-out-of-bou In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Fix a slab-out-of-bounds read that occurs in kmemdup() called from brcmf_get_assoc_ies(). The bug could occur when assoc_info->req_len, data from a URB provided by a USB device, is bigger than the size of buffer which

CVE-2025-39804 [HIGH] CVE-2025-39804: In the Linux kernel, the following vulnerability has been resolved: lib/crypto: arm64/poly1305: Fix In the Linux kernel, the following vulnerability has been resolved: lib/crypto: arm64/poly1305: Fix register corruption in no-SIMD contexts Restore the SIMD usability check that was removed by commit a59e5468a921 ("crypto: arm64/poly1305 - Add block-only interface"). This safety check is cheap and is well worth eliminating a footgun. While the Poly1305 fun

CVE-2023-53257 [HIGH] CVE-2023-53257: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check S1G actio In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: check S1G action frame size Before checking the action code, check that it even exists in the frame.

CVE-2022-50315 [HIGH] CWE-129 CVE-2022-50315: In the Linux kernel, the following vulnerability has been resolved: ata: ahci: Match EM_MAX_SLOTS w In the Linux kernel, the following vulnerability has been resolved: ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS UBSAN complains about array-index-out-of-bounds: [ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41 [ 1.980709] kernel: index 15 is out of range for type 'ahci_em

CVE-2023-53219 [HIGH] CWE-416 CVE-2023-53219: In the Linux kernel, the following vulnerability has been resolved: media: netup_unidvb: fix use-af In the Linux kernel, the following vulnerability has been resolved: media: netup_unidvb: fix use-after-free at del_timer() When Universal DVB card is detaching, netup_unidvb_dma_fini() uses del_timer() to stop dma->timeout timer. But when timer handler netup_unidvb_dma_timeout() is running, del_timer() could not stop it. As a result, the use-after-f