Linux Kernel vulnerabilities

CVE-2025-71100 [HIGH] CWE-129 CVE-2025-71100: In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: 8192cu: fix tid out of range in rtl92cu_tx_fill_desc() TID getting from ieee80211_get_tid() might be out of range of array size of sta_entry->tids[], so check TID is less than MAX_TID_COUNT. Othwerwise, UBSAN warn: UBSAN: array-index-out-of-bounds in drivers/net/wirel

CVE-2025-68817 [HIGH] CWE-416 CVE-2025-68817: In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ks In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_tree_connect_put under concurrency Under high concurrency, A tree-connection object (tcon) is freed on a disconnect path while another path still holds a reference and later executes *_put()/write on it.

CVE-2025-71086 [HIGH] CWE-129 CVE-2025-71086: In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array in In the Linux kernel, the following vulnerability has been resolved: net: rose: fix invalid array index in rose_kill_by_device() rose_kill_by_device() collects sockets into a local array[] and then iterates over them to disconnect sockets bound to a device being brought down. The loop mistakenly indexes array[cnt] instead of array[i]. For cnt < ARRA

CVE-2025-71075 [HIGH] CWE-416 CVE-2025-71075: In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-fr In the Linux kernel, the following vulnerability has been resolved: scsi: aic94xx: fix use-after-free in device removal path The asd_pci_remove() function fails to synchronize with pending tasklets before freeing the asd_ha structure, leading to a potential use-after-free vulnerability. When a device removal is triggered (via hot-unplug or module u

CVE-2025-71099 [HIGH] CWE-416 CVE-2025-71099: In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Fix potential UAF in xe_oa_add_config_ioctl() In xe_oa_add_config_ioctl(), we accessed oa_config->id after dropping metrics_lock. Since this lock protects the lifetime of oa_config, an attacker could guess the id and call xe_oa_remove_config_ioctl() with perfect timing, f

CVE-2025-71091 [HIGH] CVE-2025-71091: In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enable In the Linux kernel, the following vulnerability has been resolved: team: fix check for port enabled in team_queue_override_port_prio_changed() There has been a syzkaller bug reported recently with the following trace: list_del corruption, ffff888058bea080->prev is LIST_POISON2 (dead000000000122) ------------[ cut here ]------------ kernel BUG at lib/list_

CVE-2025-71095 [MEDIUM] CVE-2025-71095: In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issu In the Linux kernel, the following vulnerability has been resolved: net: stmmac: fix the crash issue for zero copy XDP_TX action There is a crash issue when running zero copy XDP_TX action, the crash log is shown below. [ 216.122464] Unable to handle kernel paging request at virtual address fffeffff80000000 [ 216.187524] Internal error: Oops: 00000000960

CVE-2025-71084 [MEDIUM] CVE-2025-71084: In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multic In the Linux kernel, the following vulnerability has been resolved: RDMA/cm: Fix leaking the multicast GID table reference If the CM ID is destroyed while the CM event for multicast creating is still queued the cancel_work_sync() will prevent the work from running which also prevents destroying the ah_attr. This leaks a refcount and triggers a WARN: GID

CVE-2025-71097 [MEDIUM] CVE-2025-71097: In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix reference count leak when using error routes with nexthop objects When a nexthop object is deleted, it is marked as dead and then fib_table_flush() is called to flush all the routes that are using the dead nexthop. The current logic in fib_table_flush() is to only flush error ro

CVE-2025-71088 [MEDIUM] CVE-2025-71088: In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simu In the Linux kernel, the following vulnerability has been resolved: mptcp: fallback earlier on simult connection Syzkaller reports a simult-connect race leading to inconsistent fallback status: WARNING: CPU: 3 PID: 33 at net/mptcp/subflow.c:1515 subflow_data_ready+0x40b/0x7c0 net/mptcp/subflow.c:1515 Modules linked in: CPU: 3 UID: 0 PID: 33 Comm: ksoftir

CVE-2025-71090 [MEDIUM] CVE-2025-71090: In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfsd_file reference l In the Linux kernel, the following vulnerability has been resolved: nfsd: fix nfsd_file reference leak in nfsd4_add_rdaccess_to_wrdeleg() nfsd4_add_rdaccess_to_wrdeleg() unconditionally overwrites fp->fi_fds[O_RDONLY] with a newly acquired nfsd_file. However, if the client already has a SHARE_ACCESS_READ open from a previous OPEN operation, this action ov

CVE-2025-71072 [MEDIUM] CVE-2025-71072: In the Linux kernel, the following vulnerability has been resolved: shmem: fix recovery on rename f In the Linux kernel, the following vulnerability has been resolved: shmem: fix recovery on rename failures maple_tree insertions can fail if we are seriously short on memory; simple_offset_rename() does not recover well if it runs into that. The same goes for simple_offset_rename_exchange(). Moreover, shmem_whiteout() expects that if it succeeds, the cal

CVE-2025-71096 [MEDIUM] CWE-908 CVE-2025-71096: In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presen In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Check for the presence of LS_NLA_TYPE_DGID correctly The netlink response for RDMA_NL_LS_OP_IP_RESOLVE should always have a LS_NLA_TYPE_DGID attribute, it is invalid if it does not. Use the nl parsing logic properly and call nla_parse_deprecated() to fill the nlattrs a

CVE-2025-71087 [MEDIUM] CWE-193 CVE-2025-71087: In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in In the Linux kernel, the following vulnerability has been resolved: iavf: fix off-by-one issues in iavf_config_rss_reg() There are off-by-one bugs when configuring RSS hash key and lookup table, causing out-of-bounds reads to memory [1] and out-of-bounds writes to device registers. Before commit 43a3d9ba34c9 ("i40evf: Allow PF driver to configure

CVE-2025-71085 [MEDIUM] CWE-617 CVE-2025-71085: In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head In the Linux kernel, the following vulnerability has been resolved: ipv6: BUG() in pskb_expand_head() as part of calipso_skbuff_setattr() There exists a kernel oops caused by a BUG_ON(nhead INT_MAX (i.e. (int)(skb_headroom(skb) + len_delta) skb_headroom(skb)) is meant to ensure that delta = headroom - skb_headroom(skb) is never negative, otherwise

CVE-2025-71080 [MEDIUM] CWE-617 CVE-2025-71080: In the Linux kernel, the following vulnerability has been resolved: ipv6: fix a BUG in rt6_get_pcpu In the Linux kernel, the following vulnerability has been resolved: ipv6: fix a BUG in rt6_get_pcpu_route() under PREEMPT_RT On PREEMPT_RT kernels, after rt6_get_pcpu_route() returns NULL, the current task can be preempted. Another task running on the same CPU may then execute rt6_make_pcpu_route() and successfully install a pcpu_rt entry. When th

CVE-2025-71094 [MEDIUM] CVE-2025-71094: In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY ad In the Linux kernel, the following vulnerability has been resolved: net: usb: asix: validate PHY address before use The ASIX driver reads the PHY address from the USB device via asix_read_phy_addr(). A malicious or faulty device can return an invalid address (>= PHY_MAX_ADDR), which causes a warning in mdiobus_get_phy(): addr 207 out of range WARNING: dr

CVE-2025-71079 [MEDIUM] CWE-667 CVE-2025-71079: In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between In the Linux kernel, the following vulnerability has been resolved: net: nfc: fix deadlock between nfc_unregister_device and rfkill_fop_write A deadlock can occur between nfc_unregister_device() and rfkill_fop_write() due to lock ordering inversion between device_lock and rfkill_global_mutex. The problematic lock order is: Thread A (rfkill_fop_wr

CVE-2025-71076 [MEDIUM] CVE-2025-71076: In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit num_syncs to p In the Linux kernel, the following vulnerability has been resolved: drm/xe/oa: Limit num_syncs to prevent oversized allocations The OA open parameters did not validate num_syncs, allowing userspace to pass arbitrarily large values, potentially leading to excessive allocations. Add check to ensure that num_syncs does not exceed DRM_XE_MAX_SYNCS, returning

CVE-2025-71098 [MEDIUM] CWE-476 CVE-2025-71098: In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() r In the Linux kernel, the following vulnerability has been resolved: ip6_gre: make ip6gre_header() robust Over the years, syzbot found many ways to crash the kernel in ip6gre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack