linux package
kernel
pkg:linux/kernel
Vulnerabilities (1,755)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-40324 | — | < 5.10.247 | 5.10.247 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test. | ||
| CVE-2025-40323 | — | >= 2.6.12, < 6.1.159 | 6.1.159 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at | ||
| CVE-2025-40322 | — | >= 2.6.12, < 5.4.302 | 5.4.302 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and | ||
| CVE-2025-40321 | — | >= 3.9.0, < 5.4.302 | 5.4.302 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the "actframe" IO | ||
| CVE-2025-40320 | — | < 6.6.117 | 6.6.117 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay | ||
| CVE-2025-40319 | — | >= 5.8.0, < 5.10.247 | 5.10.247 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF progr | ||
| CVE-2025-40318 | — | < 6.1.159 | 6.1.159 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the | ||
| CVE-2025-40317 | — | >= 4.16.0, < 5.4.302 | 5.4.302 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap. That commit brea | ||
| CVE-2025-40316 | — | < 6.6.117 | 6.6.117 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been add | ||
| CVE-2025-40315 | — | < 5.4.302 | 5.4.302 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() set | ||
| CVE-2025-40314 | — | >= 5.3.0, < 5.15.197 | 5.15.197 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its | ||
| CVE-2025-40313 | — | >= 5.15.0, < 5.15.197 | 5.15.197 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type, | ||
| CVE-2025-40312 | — | >= 2.6.12, < 5.4.302 | 5.4.302 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk") does. | ||
| CVE-2025-40311 | — | >= 5.8.0, < 6.6.117 | 6.6.117 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped witho | ||
| CVE-2025-40310 | — | >= 6.5.0, < 6.6.117 | 6.6.117 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD int | ||
| CVE-2025-40309 | — | >= 6.13.0, < 6.17.8 | 6.17.8 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN: | ||
| CVE-2025-40308 | — | < 5.4.302 | 5.4.302 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following sta | ||
| CVE-2025-40307 | — | >= 5.7.0, < 6.12.58 | 6.12.58 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking | ||
| CVE-2025-40306 | — | >= 4.6.0, < 5.4.302 | 5.4.302 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau <w@1wt.eu> forwarded me a message from Disclosure <disclosure@aisle.com> with the following warning: > The helper `xattr_key()` uses the pointer var | ||
| CVE-2025-40305 | — | >= 6.14.0, < 6.17.8 | 6.17.8 | Dec 8, 2025 | In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more d |
- CVE-2025-40324Dec 8, 2025affected < 5.10.247fixed 5.10.247
In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test.
- CVE-2025-40323Dec 8, 2025affected >= 2.6.12, < 6.1.159fixed 6.1.159
In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at
- CVE-2025-40322Dec 8, 2025affected >= 2.6.12, < 5.4.302fixed 5.4.302
In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and
- CVE-2025-40321Dec 8, 2025affected >= 3.9.0, < 5.4.302fixed 5.4.302
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the "actframe" IO
- CVE-2025-40320Dec 8, 2025affected < 6.6.117fixed 6.6.117
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential cfid UAF in smb2_query_info_compound When smb2_query_info_compound() retries, a previously allocated cfid may have been freed in the first attempt. Because cfid wasn't reset on replay
- CVE-2025-40319Dec 8, 2025affected >= 5.8.0, < 5.10.247fixed 5.10.247
In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF progr
- CVE-2025-40318Dec 8, 2025affected < 6.1.159fixed 6.1.159
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix race in hci_cmd_sync_dequeue_once hci_cmd_sync_dequeue_once() does lookup and then cancel the entry under two separate lock sections. Meanwhile, hci_cmd_sync_work() can also delete the
- CVE-2025-40317Dec 8, 2025affected >= 4.16.0, < 5.4.302fixed 5.4.302
In the Linux kernel, the following vulnerability has been resolved: regmap: slimbus: fix bus_context pointer in regmap init calls Commit 4e65bda8273c ("ASoC: wcd934x: fix error handling in wcd934x_codec_parse_data()") revealed the problem in the slimbus regmap. That commit brea
- CVE-2025-40316Dec 8, 2025affected < 6.6.117fixed 6.6.117
In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Fix device use-after-free on unbind A recent change fixed device reference leaks when looking up drm platform device driver data during bind() but failed to remove a partial fix which had been add
- CVE-2025-40315Dec 8, 2025affected < 5.4.302fixed 5.4.302
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Fix epfile null pointer access after ep enable. A race condition occurs when ffs_func_eps_enable() runs concurrently with ffs_data_reset(). The ffs_data_clear() called in ffs_data_reset() set
- CVE-2025-40314Dec 8, 2025affected >= 5.3.0, < 5.15.197fixed 5.15.197
In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: gadget: Use-after-free during failed initialization and exit of cdnsp gadget In the __cdnsp_gadget_init() and cdnsp_gadget_exit() functions, the gadget structure (pdev->gadget) was freed before its
- CVE-2025-40313Dec 8, 2025affected >= 5.15.0, < 5.15.197fixed 5.15.197
In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 ("vfs: catch invalid modes in may_open()") requires any inode be one of S_IFDIR/S_IFLNK/S_IFREG/S_IFCHR/S_IFBLK/ S_IFIFO/S_IFSOCK type,
- CVE-2025-40312Dec 8, 2025affected >= 2.6.12, < 5.4.302fixed 5.4.302
In the Linux kernel, the following vulnerability has been resolved: jfs: Verify inode mode when loading from disk The inode mode loaded from corrupted disk can be invalid. Do like what commit 0a9e74051313 ("isofs: Verify inode mode when loading from disk") does.
- CVE-2025-40311Dec 8, 2025affected >= 5.8.0, < 6.6.117fixed 6.6.117
In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: support mapping cb with vmalloc-backed coherent memory When IOMMU is enabled, dma_alloc_coherent() with GFP_USER may return addresses from the vmalloc range. If such an address is mapped witho
- CVE-2025-40310Dec 8, 2025affected >= 6.5.0, < 6.6.117fixed 6.6.117
In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: resolve a race in amdgpu_amdkfd_device_fini_sw There is race in amdgpu_amdkfd_device_fini_sw and interrupt. if amdgpu_amdkfd_device_fini_sw run in b/w kfd_cleanup_nodes and kfree(kfd), and KGD int
- CVE-2025-40309Dec 8, 2025affected >= 6.13.0, < 6.17.8fixed 6.17.8
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: SCO: Fix UAF on sco_conn_free BUG: KASAN: slab-use-after-free in sco_conn_free net/bluetooth/sco.c:87 [inline] BUG: KASAN: slab-use-after-free in kref_put include/linux/kref.h:65 [inline] BUG: KASAN:
- CVE-2025-40308Dec 8, 2025affected < 5.4.302fixed 5.4.302
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: bcsp: receive data only if registered Currently, bcsp_recv() can be called even when the BCSP protocol has not been registered. This leads to a NULL pointer dereference, as shown in the following sta
- CVE-2025-40307Dec 8, 2025affected >= 5.7.0, < 6.12.58fixed 6.12.58
In the Linux kernel, the following vulnerability has been resolved: exfat: validate cluster allocation bits of the allocation bitmap syzbot created an exfat image with cluster bits not set for the allocation bitmap. exfat-fs reads and uses the allocation bitmap without checking
- CVE-2025-40306Dec 8, 2025affected >= 4.6.0, < 5.4.302fixed 5.4.302
In the Linux kernel, the following vulnerability has been resolved: orangefs: fix xattr related buffer overflow... Willy Tarreau <w@1wt.eu> forwarded me a message from Disclosure <disclosure@aisle.com> with the following warning: > The helper `xattr_key()` uses the pointer var
- CVE-2025-40305Dec 8, 2025affected >= 6.14.0, < 6.17.8fixed 6.17.8
In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: p9_fd_request: kick rx thread if EPOLLIN p9_read_work() doesn't set Rworksched and doesn't do schedule_work(m->rq) if list_empty(&m->req_list). However, if the pipe is full, we need to read more d
Page 68 of 88