linux package
kernel
pkg:linux/kernel
Vulnerabilities (1,755)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-40222 | — | >= 6.17.0, < 6.17.6 | 6.17.6 | Dec 4, 2025 | In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for othe | ||
| CVE-2025-40221 | — | >= 6.7.0, < 6.12.54 | 6.12.54 | Dec 4, 2025 | In the Linux kernel, the following vulnerability has been resolved: media: pci: mg4b: fix uninitialized iio scan data Fix potential leak of uninitialized stack data to userspace by ensuring that the `scan` structure is zeroed before use. | ||
| CVE-2025-40220 | — | >= 2.6.38, < 5.10.246 | 5.10.246 | Dec 4, 2025 | In the Linux kernel, the following vulnerability has been resolved: fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor | ||
| CVE-2025-40219 | — | >= 5.0.0, < 5.4.301 | 5.4.301 | Dec 4, 2025 | In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Fix race between SR-IOV enable/disable and hotplug Commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV") tried to fix a race between the VF removal inside sriov_ | ||
| CVE-2025-40218 | — | >= 6.5.0, < 6.6.113 | 6.6.113 | Dec 4, 2025 | In the Linux kernel, the following vulnerability has been resolved: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success DAMON's virtual address space operation set implementation (vaddr) calls pte_offset_map_lock() inside the page table walk callback function. Th | ||
| CVE-2025-40217 | — | >= 6.11.0, < 6.17.4 | 6.17.4 | Dec 4, 2025 | In the Linux kernel, the following vulnerability has been resolved: pidfs: validate extensible ioctls Validate extensible ioctls stricter than we do now. | ||
| CVE-2025-40216 | — | >= 6.12.0, < 6.12.36 | 6.12.36 | Dec 4, 2025 | In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: don't rely on user vaddr alignment There is no guaranteed alignment for user pointers, however the calculation of an offset of the first page into a folio after coalescing uses some weird bit mas | ||
| CVE-2025-40215 | — | >= 2.6.29, < 5.10.248 | 5.10.248 | Dec 4, 2025 | In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a | ||
| CVE-2025-40214 | — | < 6.1.159 | 6.1.159 | Dec 4, 2025 | In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages | ||
| CVE-2025-40213 | — | >= 6.17.0, < 6.17.8 | 6.17.8 | Nov 24, 2025 | In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_ | ||
| CVE-2025-40212 | — | >= 6.12.0, < 6.12.59 | 6.12.59 | Nov 24, 2025 | In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3 | ||
| CVE-2025-40211 | — | >= 3.17.0, < 5.4.302 | 5.4.302 | Nov 21, 2025 | In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during | ||
| CVE-2025-40210 | — | >= 6.17.0, < 6.17.8 | 6.17.8 | Nov 21, 2025 | In the Linux kernel, the following vulnerability has been resolved: Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug int | ||
| CVE-2025-40209 | — | >= 6.11.0, < 6.12.58 | 6.12.58 | Nov 21, 2025 | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the p | ||
| CVE-2025-40208 | — | >= 6.15.0, < 6.17.4 | 6.17.4 | Nov 12, 2025 | In the Linux kernel, the following vulnerability has been resolved: media: iris: fix module removal if firmware download failed Fix remove if firmware failed to load: qcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2 qcom-iris aa | ||
| CVE-2025-40207 | — | >= 6.0.0, < 6.1.157 | 6.1.157 | Nov 12, 2025 | In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc(), but does not check the returned value. I | ||
| CVE-2025-40206 | — | >= 5.4.0, < 6.6.113 | 6.6.113 | Nov 12, 2025 | In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_objref: validate objref and objrefmap expressions Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls: BUG: TASK stack guard page was hit | ||
| CVE-2025-40205 | — | >= 2.6.29, < 5.4.301 | 5.4.301 | Nov 12, 2025 | In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only retu | ||
| CVE-2025-40204 | — | >= 2.6.12, < 5.4.301 | 5.4.301 | Nov 12, 2025 | In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this. | ||
| CVE-2025-40203 | — | >= 6.8.0, < 6.12.54 | 6.12.54 | Nov 12, 2025 | In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're fscked. |
- CVE-2025-40222Dec 4, 2025affected >= 6.17.0, < 6.17.6fixed 6.17.6
In the Linux kernel, the following vulnerability has been resolved: tty: serial: sh-sci: fix RSCI FIFO overrun handling The receive error handling code is shared between RSCI and all other SCIF port types, but the RSCI overrun_reg is specified as a memory offset, while for othe
- CVE-2025-40221Dec 4, 2025affected >= 6.7.0, < 6.12.54fixed 6.12.54
In the Linux kernel, the following vulnerability has been resolved: media: pci: mg4b: fix uninitialized iio scan data Fix potential leak of uninitialized stack data to userspace by ensuring that the `scan` structure is zeroed before use.
- CVE-2025-40220Dec 4, 2025affected >= 2.6.38, < 5.10.246fixed 5.10.246
In the Linux kernel, the following vulnerability has been resolved: fuse: fix livelock in synchronous file put from fuseblk workers I observed a hang when running generic/323 against a fuseblk server. This test opens a file, initiates a lot of AIO writes to that file descriptor
- CVE-2025-40219Dec 4, 2025affected >= 5.0.0, < 5.4.301fixed 5.4.301
In the Linux kernel, the following vulnerability has been resolved: PCI/IOV: Fix race between SR-IOV enable/disable and hotplug Commit 05703271c3cd ("PCI/IOV: Add PCI rescan-remove locking when enabling/disabling SR-IOV") tried to fix a race between the VF removal inside sriov_
- CVE-2025-40218Dec 4, 2025affected >= 6.5.0, < 6.6.113fixed 6.6.113
In the Linux kernel, the following vulnerability has been resolved: mm/damon/vaddr: do not repeat pte_offset_map_lock() until success DAMON's virtual address space operation set implementation (vaddr) calls pte_offset_map_lock() inside the page table walk callback function. Th
- CVE-2025-40217Dec 4, 2025affected >= 6.11.0, < 6.17.4fixed 6.17.4
In the Linux kernel, the following vulnerability has been resolved: pidfs: validate extensible ioctls Validate extensible ioctls stricter than we do now.
- CVE-2025-40216Dec 4, 2025affected >= 6.12.0, < 6.12.36fixed 6.12.36
In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: don't rely on user vaddr alignment There is no guaranteed alignment for user pointers, however the calculation of an offset of the first page into a folio after coalescing uses some weird bit mas
- CVE-2025-40215Dec 4, 2025affected >= 2.6.29, < 5.10.248fixed 5.10.248
In the Linux kernel, the following vulnerability has been resolved: xfrm: delete x->tunnel as we delete x The ipcomp fallback tunnels currently get deleted (from the various lists and hashtables) as the last user state that needed that fallback is destroyed (not deleted). If a
- CVE-2025-40214Dec 4, 2025affected < 6.1.159fixed 6.1.159
In the Linux kernel, the following vulnerability has been resolved: af_unix: Initialise scc_index in unix_add_edge(). Quang Le reported that the AF_UNIX GC could garbage-collect a receive queue of an alive in-flight socket, with a nice repro. The repro consists of three stages
- CVE-2025-40213Nov 24, 2025affected >= 6.17.0, < 6.17.8fixed 6.17.8
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: fix crash in set_mesh_sync and set_mesh_complete There is a BUG: KASAN: stack-out-of-bounds in set_mesh_sync due to memcpy from badly declared on-stack flexible array. Another crash is in set_
- CVE-2025-40212Nov 24, 2025affected >= 6.12.0, < 6.12.59fixed 6.12.59
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix refcount leak in nfsd_set_fh_dentry() nfsd exports a "pseudo root filesystem" which is used by NFSv4 to find the various exported filesystems using LOOKUP requests from a known root filehandle. NFSv3
- CVE-2025-40211Nov 21, 2025affected >= 3.17.0, < 5.4.302fixed 5.4.302
In the Linux kernel, the following vulnerability has been resolved: ACPI: video: Fix use-after-free in acpi_video_switch_brightness() The switch_brightness_work delayed work accesses device->brightness and device->backlight, freed by acpi_video_dev_unregister_backlight() during
- CVE-2025-40210Nov 21, 2025affected >= 6.17.0, < 6.17.8fixed 6.17.8
In the Linux kernel, the following vulnerability has been resolved: Revert "NFSD: Remove the cap on number of operations per NFSv4 COMPOUND" I've found that pynfs COMP6 now leaves the connection or lease in a strange state, which causes CLOSE9 to hang indefinitely. I've dug int
- CVE-2025-40209Nov 21, 2025affected >= 6.11.0, < 6.12.58fixed 6.12.58
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix memory leak of qgroup_list in btrfs_add_qgroup_relation When btrfs_add_qgroup_relation() is called with invalid qgroup levels (src >= dst), the function returns -EINVAL directly without freeing the p
- CVE-2025-40208Nov 12, 2025affected >= 6.15.0, < 6.17.4fixed 6.17.4
In the Linux kernel, the following vulnerability has been resolved: media: iris: fix module removal if firmware download failed Fix remove if firmware failed to load: qcom-iris aa00000.video-codec: Direct firmware load for qcom/vpu/vpu33_p4.mbn failed with error -2 qcom-iris aa
- CVE-2025-40207Nov 12, 2025affected >= 6.0.0, < 6.1.157fixed 6.1.157
In the Linux kernel, the following vulnerability has been resolved: media: v4l2-subdev: Fix alloc failure check in v4l2_subdev_call_state_try() v4l2_subdev_call_state_try() macro allocates a subdev state with __v4l2_subdev_state_alloc(), but does not check the returned value. I
- CVE-2025-40206Nov 12, 2025affected >= 5.4.0, < 6.6.113fixed 6.6.113
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_objref: validate objref and objrefmap expressions Referencing a synproxy stateful object from OUTPUT hook causes kernel crash due to infinite recursive calls: BUG: TASK stack guard page was hit
- CVE-2025-40205Nov 12, 2025affected >= 2.6.29, < 5.4.301fixed 5.4.301
In the Linux kernel, the following vulnerability has been resolved: btrfs: avoid potential out-of-bounds in btrfs_encode_fh() The function btrfs_encode_fh() does not properly account for the three cases it handles. Before writing to the file handle (fh), the function only retu
- CVE-2025-40204Nov 12, 2025affected >= 2.6.12, < 5.4.301fixed 5.4.301
In the Linux kernel, the following vulnerability has been resolved: sctp: Fix MAC comparison to be constant-time To prevent timing attacks, MACs need to be compared in constant time. Use the appropriate helper function for this.
- CVE-2025-40203Nov 12, 2025affected >= 6.8.0, < 6.12.54fixed 6.12.54
In the Linux kernel, the following vulnerability has been resolved: listmount: don't call path_put() under namespace semaphore Massage listmount() and make sure we don't call path_put() under the namespace semaphore. If we put the last reference we're fscked.
Page 73 of 88