Linux Kernel vulnerabilities

CVE-2025-71115 [MEDIUM] CWE-908 CVE-2025-71115: In the Linux kernel, the following vulnerability has been resolved: um: init cpu_tasks[] earlier T In the Linux kernel, the following vulnerability has been resolved: um: init cpu_tasks[] earlier This is currently done in uml_finishsetup(), but e.g. with KCOV enabled we'll crash because some init code can call into e.g. memparse(), which has coverage annotations, and then the checks in check_kcov_mode() crash because current is NULL. Simply in

CVE-2025-71102 [MEDIUM] CVE-2025-71102: In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in _ In the Linux kernel, the following vulnerability has been resolved: scs: fix a wrong parameter in __scs_magic __scs_magic() needs a 'void *' variable, but a 'struct task_struct *' is given. 'task_scs(tsk)' is the starting address of the task's shadow call stack, and '__scs_magic(task_scs(tsk))' is the end address of the task's shadow call stack. Here shou

CVE-2025-71105 [MEDIUM] CVE-2025-71105: In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_s In the Linux kernel, the following vulnerability has been resolved: f2fs: use global inline_xattr_slab instead of per-sb slab cache As Hong Yun reported in mailing list: loop7: detected capacity change from 0 to 131072 ------------[ cut here ]------------ kmem_cache of name 'f2fs_xattr_entry-7:7' already exists WARNING: CPU: 0 PID: 24426 at mm/slab_commo

CVE-2025-71129 [MEDIUM] CVE-2025-71129: In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Sign extend kfu In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Sign extend kfunc call arguments The kfunc calls are native calls so they should follow LoongArch calling conventions. Sign extend its arguments properly to avoid kernel panic. This is done by adding a new emit_abi_ext() helper. The emit_abi_ext() helper performs extension

CVE-2025-71111 [MEDIUM] CWE-367 CVE-2025-71111: In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros In the Linux kernel, the following vulnerability has been resolved: hwmon: (w83791d) Convert macros to functions to avoid TOCTOU The macro FAN_FROM_REG evaluates its arguments multiple times. When used in lockless contexts involving shared driver data, this leads to Time-of-Check to Time-of-Use (TOCTOU) race conditions, potentially causing divide-

CVE-2025-71125 [MEDIUM] CWE-476 CVE-2025-71125: In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupp In the Linux kernel, the following vulnerability has been resolved: tracing: Do not register unsupported perf events Synthetic events currently do not have a function to register perf events. This leads to calling the tracepoint register functions with a NULL function pointer which triggers: ------------[ cut here ]------------ WARNING: kernel/tr

CVE-2025-71130 [MEDIUM] CWE-476 CVE-2025-71130: In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Zero-initialize t In the Linux kernel, the following vulnerability has been resolved: drm/i915/gem: Zero-initialize the eb.vma array in i915_gem_do_execbuffer Initialize the eb.vma array with values of 0 when the eb structure is first set up. In particular, this sets the eb->vma[i].vma pointers to NULL, simplifying cleanup and getting rid of the bug described below

CVE-2025-71121 [MEDIUM] CVE-2025-71121: In the Linux kernel, the following vulnerability has been resolved: parisc: Do not reprogram affini In the Linux kernel, the following vulnerability has been resolved: parisc: Do not reprogram affinitiy on ASP chip The ASP chip is a very old variant of the GSP chip and is used e.g. in HP 730 workstations. When trying to reprogram the affinity it will crash with a HPMC as the relevant registers don't seem to be at the usual location. Let's avoid the cras

CVE-2025-71106 [MEDIUM] CVE-2025-71106: In the Linux kernel, the following vulnerability has been resolved: fs: PM: Fix reverse check in fi In the Linux kernel, the following vulnerability has been resolved: fs: PM: Fix reverse check in filesystems_freeze_callback() The freeze_all_ptr check in filesystems_freeze_callback() introduced by commit a3f8f8662771 ("power: always freeze efivarfs") is reverse which quite confusingly causes all file systems to be frozen when filesystem_freeze_enabled i

CVE-2025-71144 [MEDIUM] CVE-2025-71144: In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on In the Linux kernel, the following vulnerability has been resolved: mptcp: ensure context reset on disconnect() After the blamed commit below, if the MPC subflow is already in TCP_CLOSE status or has fallback to TCP at mptcp_disconnect() time, mptcp_do_fastclose() skips setting the `send_fastclose flag` and the later __mptcp_close_ssk() does not reset anym

CVE-2025-71140 CVE-2025-71140: In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Use spinlock for context list protection lock Previously a mutex was added to protect the encoder and decoder context lists from unexpected changes originating from the SCP IP block, causing the context pointer to go invalid,

CVE-2025-71068 [HIGH] CVE-2025-71068: In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages i In the Linux kernel, the following vulnerability has been resolved: svcrdma: bound check rq_pages index in inline path svc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without verifying rc_curpage stays within the allocated page array. Add guards before the first use and after advancing to a new page.

CVE-2025-71071 [HIGH] CWE-416 CVE-2025-71071: In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-f In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: fix use-after-free on probe deferral The driver is dropping the references taken to the larb devices during probe after successful lookup as well as on errors. This can potentially lead to a use-after-free in case a larb device has not yet been bound to its driver so

CVE-2025-71089 [HIGH] CVE-2025-71089: In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_ In the Linux kernel, the following vulnerability has been resolved: iommu: disable SVA when CONFIG_X86 is set Patch series "Fix stale IOTLB entries for kernel address space", v7. This proposes a fix for a security vulnerability related to IOMMU Shared Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel page table entries. When a kernel p

CVE-2025-71093 [HIGH] CWE-125 CVE-2025-71093: In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_sho In the Linux kernel, the following vulnerability has been resolved: e1000: fix OOB in e1000_tbi_should_accept() In e1000_tbi_should_accept() we read the last byte of the frame via 'data[length - 1]' to evaluate the TBI workaround. If the descriptor- reported length is zero or larger than the actual RX buffer size, this read goes out of bounds and ca

CVE-2025-71082 [HIGH] CVE-2025-71082: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: revert use of devm_kzalloc in btusb This reverts commit 98921dbd00c4e ("Bluetooth: Use devm_kzalloc in btusb.c file"). In btusb_probe(), we use devm_kzalloc() to allocate the btusb data. This ties the lifetime of all the btusb data to the binding of a driver to one interf

CVE-2025-71092 [HIGH] CWE-787 CVE-2025-71092: In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix OOB write in In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Fix OOB write in bnxt_re_copy_err_stats() Commit ef56081d1864 ("RDMA/bnxt_re: RoCE related hardware counters update") added three new counters and placed them after BNXT_RE_OUT_OF_SEQ_ERR. BNXT_RE_OUT_OF_SEQ_ERR acts as a boundary marker for allocating hardware statist

CVE-2025-71101 [HIGH] CWE-125 CVE-2025-71101: In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix o In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix out-of-bounds array access in ACPI package parsing The hp_populate_*_elements_from_package() functions in the hp-bioscfg driver contain out-of-bounds array access vulnerabilities. These functions parse ACPI packages into internal data structures using

CVE-2025-71073 [HIGH] CWE-416 CVE-2025-71073: In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending In the Linux kernel, the following vulnerability has been resolved: Input: lkkbd - disable pending work before freeing device lkkbd_interrupt() schedules lk->tq via schedule_work(), and the work handler lkkbd_reinit() dereferences the lkkbd structure and its serio/input_dev fields. lkkbd_disconnect() and error paths in lkkbd_connect() free the lkkbd

CVE-2025-71078 [HIGH] CVE-2025-71078: In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multih In the Linux kernel, the following vulnerability has been resolved: powerpc/64s/slb: Fix SLB multihit issue during SLB preload On systems using the hash MMU, there is a software SLB preload cache that mirrors the entries loaded into the hardware SLB buffer. This preload cache is subject to periodic eviction — typically after every 256 context switches — to