Linux Kernel vulnerabilities

CVE-2025-71132 [MEDIUM] CVE-2025-71132: In the Linux kernel, the following vulnerability has been resolved: smc91x: fix broken irq-context In the Linux kernel, the following vulnerability has been resolved: smc91x: fix broken irq-context in PREEMPT_RT When smc91x.c is built with PREEMPT_RT, the following splat occurs in FVP_RevC: [ 13.055000] smc91x LNRO0003:00 eth0: link up, 10Mbps, half-duplex, lpa 0x0000 [ 13.062137] BUG: workqueue leaked atomic, lock or RCU: kworker/2:1[106] [ 13.062137]

CVE-2025-71108 [MEDIUM] CVE-2025-71108: In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorr In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Handle incorrect num_connectors capability The UCSI spec states that the num_connectors field is 7 bits, and the 8th bit is reserved and should be set to zero. Some buggy FW has been known to set this bit, and it can lead to a system not booting. Flag that the FW is not

CVE-2025-71131 [MEDIUM] CVE-2025-71131: In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req- In the Linux kernel, the following vulnerability has been resolved: crypto: seqiv - Do not use req->iv after crypto_aead_encrypt As soon as crypto_aead_encrypt is called, the underlying request may be freed by an asynchronous completion. Thus dereferencing req->iv after it returns is invalid. Instead of checking req->iv against info, create a new variabl

CVE-2025-71126 [MEDIUM] CWE-667 CVE-2025-71126: In the Linux kernel, the following vulnerability has been resolved: mptcp: avoid deadlock on fallba In the Linux kernel, the following vulnerability has been resolved: mptcp: avoid deadlock on fallback while reinjecting Jakub reported an MPTCP deadlock at fallback time: WARNING: possible recursive locking detected 6.18.0-rc7-virtme #1 Not tainted mptcp_connect/20858 is trying to acquire lock: ff1100001da18b60 (&msk->fallback_lock){+.-.}-{3:3},

CVE-2025-71139 [MEDIUM] CVE-2025-71139: In the Linux kernel, the following vulnerability has been resolved: kernel/kexec: fix IMA when allo In the Linux kernel, the following vulnerability has been resolved: kernel/kexec: fix IMA when allocation happens in CMA area *** Bug description *** When I tested kexec with the latest kernel, I ran into the following warning: [ 40.712410] ------------[ cut here ]------------ [ 40.712576] WARNING: CPU: 2 PID: 1562 at kernel/kexec_core.c:1001 kimage_map

CVE-2025-71113 [MEDIUM] CWE-908 CVE-2025-71113: In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initializ In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - zero initialize memory allocated via sock_kmalloc Several crypto user API contexts and requests allocated with sock_kmalloc() were left uninitialized, relying on callers to set fields explicitly. This resulted in the use of uninitialized data in certain error path

CVE-2025-71104 [MEDIUM] CWE-667 CVE-2025-71104: In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup af In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix VM hard lockup after prolonged inactivity with periodic HV timer When advancing the target expiration for the guest's APIC timer in periodic mode, set the expiration to "now" if the target expiration is in the past (similar to what is done in update_target_expiration

CVE-2025-71119 [MEDIUM] CVE-2025-71119: In the Linux kernel, the following vulnerability has been resolved: powerpc/kexec: Enable SMT befor In the Linux kernel, the following vulnerability has been resolved: powerpc/kexec: Enable SMT before waking offline CPUs If SMT is disabled or a partial SMT state is enabled, when a new kernel image is loaded for kexec, on reboot the following warning is observed: kexec: Waking offline cpu 228. WARNING: CPU: 0 PID: 9062 at arch/powerpc/kexec/core_64.c:22

CVE-2025-71124 [MEDIUM] CWE-476 CVE-2025-71124: In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: move preempt_prep In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: move preempt_prepare_postamble after error check Move the call to preempt_prepare_postamble() after verifying that preempt_postamble_ptr is valid. If preempt_postamble_ptr is NULL, dereferencing it in preempt_prepare_postamble() would lead to a crash. This change av

CVE-2025-71114 [MEDIUM] CWE-401 CVE-2025-71114: In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang In the Linux kernel, the following vulnerability has been resolved: via_wdt: fix critical boot hang due to unnamed resource allocation The VIA watchdog driver uses allocate_resource() to reserve a MMIO region for the watchdog control register. However, the allocated resource was not given a name, which causes the kernel resource tree to contain an

CVE-2025-71135 [MEDIUM] CWE-476 CVE-2025-71135: In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix possible null-poi In the Linux kernel, the following vulnerability has been resolved: md/raid5: fix possible null-pointer dereferences in raid5_store_group_thread_cnt() The variable mddev->private is first assigned to conf and then checked: conf = mddev->private; if (!conf) ... If conf is NULL, then mddev->private is also NULL. In this case, null-pointer derefere

CVE-2025-71138 [MEDIUM] CWE-476 CVE-2025-71138: In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL p In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add missing NULL pointer check for pingpong interface It is checked almost always in dpu_encoder_phys_wb_setup_ctl(), but in a single place the check is missing. Also use convenient locals instead of phys_enc->* where available. Patchwork: https://patchwork.freedeskt

CVE-2025-71117 [MEDIUM] CWE-667 CVE-2025-71117: In the Linux kernel, the following vulnerability has been resolved: block: Remove queue freezing fr In the Linux kernel, the following vulnerability has been resolved: block: Remove queue freezing from several sysfs store callbacks Freezing the request queue from inside sysfs store callbacks may cause a deadlock in combination with the dm-multipath driver and the queue_if_no_path option. Additionally, freezing the request queue slows down system

CVE-2025-71118 [MEDIUM] CWE-476 CVE-2025-71118: In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Names In the Linux kernel, the following vulnerability has been resolved: ACPICA: Avoid walking the Namespace if start_node is NULL Although commit 0c9992315e73 ("ACPICA: Avoid walking the ACPI Namespace if it is not there") fixed the situation when both start_node and acpi_gbl_root_node are NULL, the Linux kernel mainline now still crashed on Honor Mag

CVE-2025-71141 [MEDIUM] CVE-2025-71141: In the Linux kernel, the following vulnerability has been resolved: drm/tilcdc: Fix removal actions In the Linux kernel, the following vulnerability has been resolved: drm/tilcdc: Fix removal actions in case of failed probe The drm_kms_helper_poll_fini() and drm_atomic_helper_shutdown() helpers should only be called when the device has been successfully registered. Currently, these functions are called unconditionally in tilcdc_fini(), which causes warn

CVE-2025-71120 [MEDIUM] CWE-476 CVE-2025-71120: In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL In the Linux kernel, the following vulnerability has been resolved: SUNRPC: svcauth_gss: avoid NULL deref on zero length gss_token in gss_read_proxy_verf A zero length gss_token results in pages == 0 and in_token->pages[0] is NULL. The code unconditionally evaluates page_address(in_token->pages[0]) for the initial memcpy, which can dereference NUL

CVE-2025-71107 [MEDIUM] CWE-476 CVE-2025-71107: In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads co In the Linux kernel, the following vulnerability has been resolved: f2fs: ensure node page reads complete before f2fs_put_super() finishes Xfstests generic/335, generic/336 sometimes crash with the following message: F2FS-fs (dm-0): detect filesystem reference count leak during umount, type: 9, count: 1 ------------[ cut here ]------------ kernel

CVE-2025-71109 [MEDIUM] CWE-787 CVE-2025-71109: In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corrup In the Linux kernel, the following vulnerability has been resolved: MIPS: ftrace: Fix memory corruption when kernel is located beyond 32 bits Since commit e424054000878 ("MIPS: Tracing: Reduce the overhead of dynamic Function Tracer"), the macro UASM_i_LA_mostly has been used, and this macro can generate more than 2 instructions. At the same time,

CVE-2025-71142 [MEDIUM] CVE-2025-71142: In the Linux kernel, the following vulnerability has been resolved: cpuset: fix warning when disabl In the Linux kernel, the following vulnerability has been resolved: cpuset: fix warning when disabling remote partition A warning was triggered as follows: WARNING: kernel/cgroup/cpuset.c:1651 at remote_partition_disable+0xf7/0x110 RIP: 0010:remote_partition_disable+0xf7/0x110 RSP: 0018:ffffc90001947d88 EFLAGS: 00000206 RAX: 0000000000007fff RBX: ffff888

CVE-2025-71127 [MEDIUM] CVE-2025-71127: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Discard Beacon frames to non-broadcast address Beacon frames are required to be sent to the broadcast address, see IEEE Std 802.11-2020, 11.1.3.1 ("The Address 1 field of the Beacon .. frame shall be set to the broadcast address"). A unicast Beacon frame might be used as a