| ID | Summary | Flags | Max Score |
|---|---|---|---|
| CVE-2025-38000 | sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() | | |
| CVE-2025-38001 | net_sched: hfsc: Address reentrant enqueue adding class to eltree twice | | |
| CVE-2025-38002 | io_uring/fdinfo: grab ctx->uring_lock around io_uring_show_fdinfo() | | |
| CVE-2025-38003 | can: bcm: add missing rcu read protection for procfs content | | |
| CVE-2025-38004 | can: bcm: add locking for bcm_op runtime updates | | |
| CVE-2025-38005 | dmaengine: ti: k3-udma: Add missing locking | | |
| CVE-2025-38006 | net: mctp: Don't access ifa_index when missing | | |
| CVE-2025-38007 | HID: uclogic: Add NULL check in uclogic_input_configured() | | |
| CVE-2025-38008 | mm/page_alloc: fix race condition in unaccepted memory handling | | |
| CVE-2025-38009 | wifi: mt76: disable napi on driver removal | | |
| CVE-2025-38010 | phy: tegra: xusb: Use a bitmask for UTMI pad power state tracking | | |
| CVE-2025-38011 | drm/amdgpu: csa unmap use uninterruptible lock | | |
| CVE-2025-38012 | sched_ext: bpf_iter_scx_dsq_new() should always initialize iterator | | |
| CVE-2025-38013 | wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request | | |
| CVE-2025-38014 | dmaengine: idxd: Refactor remove call with idxd_cleanup() helper | | |
| CVE-2025-38015 | dmaengine: idxd: fix memory leak in error handling path of idxd_alloc | | |
| CVE-2025-38016 | HID: bpf: abort dispatch if device destroyed | | |
| CVE-2025-38017 | fs/eventpoll: fix endless busy loop after timeout has expired | | |
| CVE-2025-38018 | net/tls: fix kernel panic when alloc_page failed | | |
| CVE-2025-38019 | mlxsw: spectrum_router: Fix use-after-free when deleting GRE net devices | | |
| CVE-2025-38020 | net/mlx5e: Disable MACsec offload for uplink representor profile | | |
| CVE-2025-38021 | drm/amd/display: Fix null check of pipe_ctx->plane_state for update_dchubp_dpp | | |
| CVE-2025-38022 | RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem | | |
| CVE-2025-38023 | nfs: handle failure of nfs_get_lock_context in unlock path | | |
| CVE-2025-38024 | RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug | | |
| CVE-2025-38025 | iio: adc: ad7606: check for NULL before calling sw_mode_config() | | |
| CVE-2025-38026 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.... | R | |
| CVE-2025-38027 | regulator: max20086: fix invalid memory access | | |
| CVE-2025-38028 | NFS/localio: Fix a race in nfs_local_open_fh() | | |
| CVE-2025-38029 | kasan: avoid sleepable page allocation from atomic context | | |
| CVE-2025-38030 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.... | R | |
| CVE-2025-38031 | padata: do not leak refcount in reorder_work | | |
| CVE-2025-38032 | mr: consolidate the ipmr_can_free_table() checks. | | |
| CVE-2025-38033 | x86/Kconfig: make CFI_AUTO_DEFAULT depend on !RUST or Rust >= 1.88 | | |
| CVE-2025-38034 | btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref | | |
| CVE-2025-38035 | nvmet-tcp: don't restore null sk_state_change | | |
| CVE-2025-38036 | drm/xe/vf: Perform early GT MMIO initialization to read GMDID | | |
| CVE-2025-38037 | vxlan: Annotate FDB data races | | |
| CVE-2025-38038 | cpufreq: amd-pstate: Remove unnecessary driver_lock in set_boost | | |
| CVE-2025-38039 | net/mlx5e: Avoid WARN_ON when configuring MQPRIO with HTB offload enabled | | |
| CVE-2025-38040 | serial: mctrl_gpio: split disable_ms into sync and no_sync APIs | | |
| CVE-2025-38041 | clk: sunxi-ng: h616: Reparent GPU clock during frequency changes | | |
| CVE-2025-38042 | dmaengine: ti: k3-udma-glue: Drop skip_fdq argument from k3_udma_glue_reset_rx_chn | | |
| CVE-2025-38043 | firmware: arm_ffa: Set dma_mask for ffa devices | | |
| CVE-2025-38044 | media: cx231xx: set device_caps for 417 | | |
| CVE-2025-38045 | wifi: iwlwifi: fix debug actions order | | |
| CVE-2025-38046 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.... | R | |
| CVE-2025-38047 | x86/fred: Fix system hang during S4 resume with FRED enabled | | |
| CVE-2025-38048 | virtio_ring: Fix data race by tagging event_triggered as racy for KCSAN | | |
| CVE-2025-38049 | x86/resctrl: Fix allocation of cleanest CLOSID on platforms with no monitors | S | |
| CVE-2025-38050 | mm/hugetlb: fix kernel NULL pointer dereference when replacing free hugetlb folios | | |
| CVE-2025-38051 | smb: client: Fix use-after-free in cifs_fill_dirent | | |
| CVE-2025-38052 | net/tipc: fix slab-use-after-free Read in tipc_aead_encrypt_done | | |
| CVE-2025-38053 | idpf: fix null-ptr-deref in idpf_features_check | | |
| CVE-2025-38054 | ptp: ocp: Limit signal/freq counts in summary output functions | | |
| CVE-2025-38055 | perf/x86/intel: Fix segfault with PEBS-via-PT with sample_freq | | |
| CVE-2025-38056 | ASoC: SOF: Intel: hda: Fix UAF when reloading module | | |
| CVE-2025-38057 | espintcp: fix skb leaks | | |
| CVE-2025-38058 | __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock | | |
| CVE-2025-38059 | btrfs: avoid NULL pointer dereference if no valid csum tree | | |
| CVE-2025-38060 | bpf: copy_verifier_state() should copy 'loop_entry' field | | |
| CVE-2025-38061 | net: pktgen: fix access outside of user given buffer in pktgen_thread_write() | | |
| CVE-2025-38062 | genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie | | |
| CVE-2025-38063 | dm: fix unconditional IO throttle caused by REQ_PREFLUSH | | |
| CVE-2025-38064 | virtio: break and reset virtio devices on device_shutdown() | | |
| CVE-2025-38065 | orangefs: Do not truncate file size | | |
| CVE-2025-38066 | dm cache: prevent BUG_ON by blocking retries on failed device resumes | | |
| CVE-2025-38067 | rseq: Fix segfault on registration when rseq_cs is non-zero | | |
| CVE-2025-38068 | crypto: lzo - Fix compression buffer overrun | | |
| CVE-2025-38069 | PCI: endpoint: pci-epf-test: Fix double free that causes kernel to oops | | |
| CVE-2025-38070 | ASoC: sma1307: Add NULL check in sma1307_setting_loaded() | | |
| CVE-2025-38071 | x86/mm: Check return value from memblock_phys_alloc_range() | | |
| CVE-2025-38072 | libnvdimm/labels: Fix divide error in nd_label_data_init() | | |
| CVE-2025-38073 | block: fix race between set_blocksize and read paths | | |
| CVE-2025-38074 | vhost-scsi: protect vq->log_used with vq->mutex | | |
| CVE-2025-38075 | scsi: target: iscsi: Fix timeout on deleted connection | | |
| CVE-2025-38076 | alloc_tag: allocate percpu counters for module tags dynamically | | |
| CVE-2025-38077 | platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store() | | |
| CVE-2025-38078 | ALSA: pcm: Fix race of buffer access at PCM OSS layer | | |
| CVE-2025-38079 | crypto: algif_hash - fix double free in hash_accept | | |
| CVE-2025-38080 | drm/amd/display: Increase block_sequence array size | | |
| CVE-2025-38081 | spi-rockchip: Fix register out of bounds access | | |
| CVE-2025-38082 | gpio: virtuser: fix potential out-of-bound write | | |
| CVE-2025-38083 | net_sched: prio: fix a race in prio_tune() | | |
| CVE-2025-38084 | mm/hugetlb: unshare page tables during VMA split, not before | | |
| CVE-2025-38085 | mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race | | |
| CVE-2025-38086 | net: ch9200: fix uninitialised access during mii_nway_restart | | |
| CVE-2025-38087 | net/sched: fix use-after-free in taprio_dev_notifier | | |
| CVE-2025-38088 | powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap | | |
| CVE-2025-38089 | sunrpc: handle SVC_GARBAGE during svc auth processing as auth error | | |
| CVE-2025-38090 | drivers/rapidio/rio_cm.c: prevent possible heap overwrite | | |
| CVE-2025-38091 | drm/amd/display: check stream id dml21 wrapper to get plane_id | | |
| CVE-2025-38092 | ksmbd: use list_first_entry_or_null for opinfo_get_list() | | |
| CVE-2025-38093 | arm64: dts: qcom: x1e80100: Add GPU cooling | | |
| CVE-2025-38094 | net: cadence: macb: Fix a possible deadlock in macb_halt_tx. | | |
| CVE-2025-38095 | dma-buf: insert memory barrier before updating num_fences | | |
| CVE-2025-38096 | wifi: iwlwifi: don't warn when if there is a FW error | | |
| CVE-2025-38097 | espintcp: remove encap socket caching to avoid reference leak | | |
| CVE-2025-38098 | drm/amd/display: Don't treat wb connector as physical in create_validate_stream_for_sink | | |
| CVE-2025-38099 | Bluetooth: Disable SCO support if READ_VOICE_SETTING is unsupported/broken | | |
| CVE-2025-38100 | x86/iopl: Cure TIF_IO_BITMAP inconsistencies | | |
| CVE-2025-38101 | ring-buffer: Fix buffer locking in ring_buffer_subbuf_order_set() | | |
| CVE-2025-38102 | VMCI: fix race between vmci_host_setup_notify and vmci_ctx_unset_notify | | |
| CVE-2025-38103 | HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() | | |
| CVE-2025-38104 | drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV | | |
| CVE-2025-38105 | ALSA: usb-audio: Kill timer properly at removal | | |
| CVE-2025-38106 | io_uring: fix use-after-free of sq->thread in __io_uring_show_fdinfo() | | |
| CVE-2025-38107 | net_sched: ets: fix a race in ets_qdisc_change() | | |
| CVE-2025-38108 | net_sched: red: fix a race in __red_change() | | |
| CVE-2025-38109 | net/mlx5: Fix ECVF vports unload on shutdown flow | | |
| CVE-2025-38110 | net/mdiobus: Fix potential out-of-bounds clause 45 read/write access | | |
| CVE-2025-38111 | net/mdiobus: Fix potential out-of-bounds read/write access | | |
| CVE-2025-38112 | net: Fix TOCTOU issue in sk_is_readable() | | |
| CVE-2025-38113 | ACPI: CPPC: Fix NULL pointer dereference when nosmp is used | | |
| CVE-2025-38114 | e1000: Move cancel_work_sync to avoid deadlock | | |
| CVE-2025-38115 | net_sched: sch_sfq: fix a potential crash on gso_skb handling | | |
| CVE-2025-38116 | wifi: ath12k: fix uaf in ath12k_core_init() | | |
| CVE-2025-38117 | Bluetooth: MGMT: Protect mgmt_pending list with its own lock | | |
| CVE-2025-38118 | Bluetooth: MGMT: Fix UAF on mgmt_remove_adv_monitor_complete | | |
| CVE-2025-38119 | scsi: core: ufs: Fix a hang in the error handler | | |
| CVE-2025-38120 | netfilter: nf_set_pipapo_avx2: fix initial map fill | | |
| CVE-2025-38121 | wifi: iwlwifi: mld: avoid panic on init failure | | |
| CVE-2025-38122 | gve: add missing NULL check for gve_alloc_pending_packet() in TX DQO | | |
| CVE-2025-38123 | net: wwan: t7xx: Fix napi rx poll issue | | |
| CVE-2025-38124 | net: fix udp gso skb_segment after pull from frag_list | | |
| CVE-2025-38125 | net: stmmac: make sure that ptp_rate is not 0 before configuring EST | | |
| CVE-2025-38126 | net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping | | |
| CVE-2025-38127 | ice: fix Tx scheduler error handling in XDP callback | | |
| CVE-2025-38128 | Bluetooth: MGMT: reject malformed HCI_CMD_SYNC commands | | |
| CVE-2025-38129 | page_pool: Fix use-after-free in page_pool_recycle_in_ring | | |
| CVE-2025-38130 | drm/connector: only call HDMI audio helper plugged cb if non-null | | |
| CVE-2025-38131 | coresight: prevent deactivate active config while enabling the config | | |
| CVE-2025-38132 | coresight: holding cscfg_csdev_lock while removing cscfg from csdev | | |
| CVE-2025-38133 | iio: adc: ad4851: fix ad4858 chan pointer handling | | |
| CVE-2025-38134 | usb: acpi: Prevent null pointer dereference in usb_acpi_add_usb4_devlink() | | |
| CVE-2025-38135 | serial: Fix potential null-ptr-deref in mlb_usio_probe() | | |
| CVE-2025-38136 | usb: renesas_usbhs: Reorder clock handling and power management in probe | | |
| CVE-2025-38137 | PCI/pwrctrl: Cancel outstanding rescan work when unregistering | | |
| CVE-2025-38138 | dmaengine: ti: Add NULL check in udma_probe() | | |
| CVE-2025-38139 | netfs: Fix oops in write-retry from mis-resetting the subreq iterator | | |
| CVE-2025-38140 | dm: limit swapping tables for devices with zone write plugs | | |
| CVE-2025-38141 | dm: fix dm_blk_report_zones | | |
| CVE-2025-38142 | hwmon: (asus-ec-sensors) check sensor index in read_string() | | |
| CVE-2025-38143 | backlight: pm8941: Add NULL check in wled_configure() | | |
| CVE-2025-38144 | watchdog: lenovo_se30_wdt: Fix possible devm_ioremap() NULL pointer dereference in lenovo_se30_wdt_probe() | | |
| CVE-2025-38145 | soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() | | |
| CVE-2025-38146 | net: openvswitch: Fix the dead loop of MPLS parse | | |
| CVE-2025-38147 | calipso: Don't call calipso functions for AF_INET sk. | | |
| CVE-2025-38148 | net: phy: mscc: Fix memory leak when using one step timestamping | | |
| CVE-2025-38149 | net: phy: clear phydev->devlink when the link is deleted | | |
| CVE-2025-38150 | af_packet: move notifier's packet_dev_mc out of rcu critical section | | |
| CVE-2025-38151 | RDMA/cma: Fix hang when cma_netevent_callback fails to queue_work | | |
| CVE-2025-38152 | remoteproc: core: Clear table_sz when rproc_shutdown | S | |
| CVE-2025-38153 | net: usb: aqc111: fix error handling of usbnet read calls | | |
| CVE-2025-38154 | bpf, sockmap: Avoid using sk_socket after free when sending | | |
| CVE-2025-38155 | wifi: mt76: mt7915: Fix null-ptr-deref in mt7915_mmio_wed_init() | | |
| CVE-2025-38156 | wifi: mt76: mt7996: Fix null-ptr-deref in mt7996_mmio_wed_init() | | |
| CVE-2025-38157 | wifi: ath9k_htc: Abort software beacon handling if disabled | | |
| CVE-2025-38158 | hisi_acc_vfio_pci: fix XQE dma address error | | |
| CVE-2025-38159 | wifi: rtw88: fix the 'para' buffer size to avoid reading out of bounds | | |
| CVE-2025-38160 | clk: bcm: rpi: Add NULL check in raspberrypi_clk_register() | | |
| CVE-2025-38161 | RDMA/mlx5: Fix error flow upon firmware failure for RQ destruction | | |
| CVE-2025-38162 | netfilter: nft_set_pipapo: prevent overflow in lookup table allocation | | |
| CVE-2025-38163 | f2fs: fix to do sanity check on sbi->total_valid_block_count | | |
| CVE-2025-38164 | f2fs: zone: fix to avoid inconsistence in between SIT and SSA | | |
| CVE-2025-38165 | bpf, sockmap: Fix panic when calling skb_linearize | | |
| CVE-2025-38166 | bpf: fix ktls panic with sockmap | | |
| CVE-2025-38167 | fs/ntfs3: handle hdr_first_de() return value | | |
| CVE-2025-38168 | perf: arm-ni: Unregister PMUs on probe failure | | |
| CVE-2025-38169 | arm64/fpsimd: Avoid clobbering kernel FPSIMD state with SMSTOP | | |
| CVE-2025-38170 | arm64/fpsimd: Discard stale CPU state when handling SME traps | | |
| CVE-2025-38171 | power: supply: max77705: Fix workqueue error handling in probe | | |
| CVE-2025-38172 | erofs: avoid using multiple devices with different type | | |
| CVE-2025-38173 | crypto: marvell/cesa - Handle zero-length skcipher requests | | |
| CVE-2025-38174 | thunderbolt: Do not double dequeue a configuration request | | |
| CVE-2025-38175 | binder: fix yet another UAF in binder_devices | | |
| CVE-2025-38176 | binder: fix use-after-free in binderfs_evict_inode() | | |
| CVE-2025-38177 | sch_hfsc: make hfsc_qlen_notify() idempotent | | |
| CVE-2025-38178 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.... | R | |
| CVE-2025-38179 | smb: client: fix max_sge overflow in smb_extract_folioq_to_rdma() | | |
| CVE-2025-38180 | net: atm: fix /proc/net/atm/lec handling | | |
| CVE-2025-38181 | calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). | | |
| CVE-2025-38182 | ublk: santizize the arguments from userspace when adding a device | | |
| CVE-2025-38183 | net: lan743x: fix potential out-of-bounds write in lan743x_ptp_io_event_clock_get() | | |
| CVE-2025-38184 | tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer | | |
| CVE-2025-38185 | atm: atmtcp: Free invalid length skb in atmtcp_c_send(). | | |
| CVE-2025-38186 | bnxt_en: Fix double invocation of bnxt_ulp_stop()/bnxt_ulp_start() | | |
| CVE-2025-38187 | drm/nouveau: fix a use-after-free in r535_gsp_rpc_push() | | |
| CVE-2025-38188 | drm/msm/a7xx: Call CP_RESET_CONTEXT_STATE | | |
| CVE-2025-38189 | drm/v3d: Avoid NULL pointer dereference in `v3d_job_update_stats()` | | |
| CVE-2025-38190 | atm: Revert atm_account_tx() if copy_from_iter_full() fails. | | |
| CVE-2025-38191 | ksmbd: fix null pointer dereference in destroy_previous_session | | |
| CVE-2025-38192 | net: clear the dst when changing skb protocol | | |
| CVE-2025-38193 | net_sched: sch_sfq: reject invalid perturb period | | |
| CVE-2025-38194 | jffs2: check that raw node were preallocated before writing summary | | |
| CVE-2025-38195 | LoongArch: Fix panic caused by NULL-PMD in huge_pte_offset() | | |
| CVE-2025-38196 | io_uring/rsrc: validate buffer count with offset for cloning | | |
| CVE-2025-38197 | platform/x86: dell_rbu: Fix list usage | | |
| CVE-2025-38198 | fbcon: Make sure modelist not set on unregistered console | | |
| CVE-2025-38199 | wifi: ath12k: Fix memory leak due to multiple rx_stats allocation | | |
| CVE-2025-38200 | i40e: fix MMIO write access to an invalid page in i40e_clear_hw | | |
| CVE-2025-38201 | netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX | | |
| CVE-2025-38202 | bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() | | |
| CVE-2025-38203 | jfs: Fix null-ptr-deref in jfs_ioc_trim | | |
| CVE-2025-38204 | jfs: fix array-index-out-of-bounds read in add_missing_indices | | |
| CVE-2025-38205 | drm/amd/display: Avoid divide by zero by initializing dummy pitch to 1 | | |
| CVE-2025-38206 | exfat: fix double free in delayed_free | | |
| CVE-2025-38207 | mm: fix uprobe pte be overwritten when expanding vma | | |
| CVE-2025-38208 | smb: client: add NULL check in automount_fullpath | | |
| CVE-2025-38209 | nvme-tcp: remove tag set when second admin queue config fails | | |
| CVE-2025-38210 | configfs-tsm-report: Fix NULL dereference of tsm_ops | | |
| CVE-2025-38211 | RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction | | |
| CVE-2025-38212 | ipc: fix to protect IPCS lookups using RCU | | |
| CVE-2025-38213 | Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.... | R | |
| CVE-2025-38214 | fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var | | |
| CVE-2025-38215 | fbdev: Fix do_register_framebuffer to prevent null-ptr-deref in fb_videomode_to_var | | |
| CVE-2025-38216 | iommu/vt-d: Restore context entry setup order for aliased devices | | |
| CVE-2025-38217 | hwmon: (ftsteutates) Fix TOCTOU race in fts_read() | | |
| CVE-2025-38218 | f2fs: fix to do sanity check on sit_bitmap_size | | |
| CVE-2025-38219 | f2fs: prevent kernel warning due to negative i_nlink from corrupted image | | |
| CVE-2025-38220 | ext4: only dirty folios when data journaling regular files | | |
| CVE-2025-38221 | ext4: fix out of bounds punch offset | | |
| CVE-2025-38222 | ext4: inline: fix len overflow in ext4_prepare_inline_data | | |
| CVE-2025-38223 | ceph: avoid kernel BUG for encrypted inode with unaligned file size | | |
| CVE-2025-38224 | can: kvaser_pciefd: refine error prone echo_skb_max handling logic | | |
| CVE-2025-38225 | media: imx-jpeg: Cleanup after an allocation error | | |
| CVE-2025-38226 | media: vivid: Change the siize of the composing | | |
| CVE-2025-38227 | media: vidtv: Terminating the subsequent process of initialization failure | | |
| CVE-2025-38228 | media: imagination: fix a potential memory leak in e5010_probe() | | |
| CVE-2025-38229 | media: cxusb: no longer judge rbuf when the write fails | | |
| CVE-2025-38230 | jfs: validate AG parameters in dbMount() to prevent crashes | | |
| CVE-2025-38231 | nfsd: Initialize ssc before laundromat_work to prevent NULL dereference | | |
| CVE-2025-38232 | NFSD: fix race between nfsd registration and exports_proc | | |
| CVE-2025-38233 | powerpc64/ftrace: fix clobbered r15 during livepatching | | |
| CVE-2025-38234 | sched/rt: Fix race in push_rt_task | | |
| CVE-2025-38235 | HID: appletb-kbd: fix "appletb_backlight" backlight device reference counting | | |
| CVE-2025-38236 | af_unix: Don't leave consecutive consumed OOB skbs. | | |
| CVE-2025-38237 | media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() | | |
| CVE-2025-38238 | scsi: fnic: Fix crash in fnic_wq_cmpl_handler when FDMI times out | | |
| CVE-2025-38239 | scsi: megaraid_sas: Fix invalid node index | | |
| CVE-2025-38240 | drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr | | |
| CVE-2025-38241 | mm/shmem, swap: fix softlockup with mTHP swapin | | |
| CVE-2025-38242 | mm: userfaultfd: fix race of userfaultfd_move and swap cache | | |
| CVE-2025-38243 | btrfs: fix invalid inode pointer dereferences during log replay | | |
| CVE-2025-38244 | smb: client: fix potential deadlock when reconnecting channels | | |
| CVE-2025-38245 | atm: Release atm_dev_mutex after removing procfs in atm_dev_deregister(). | | |
| CVE-2025-38246 | bnxt: properly flush XDP redirect lists | | |
| CVE-2025-38247 | userns and mnt_idmap leak in open_tree_attr(2) | | |
| CVE-2025-38248 | bridge: mcast: Fix use-after-free during router port configuration | | |
| CVE-2025-38249 | ALSA: usb-audio: Fix out-of-bounds read in snd_usb_get_audioformat_uac3() | | |
| CVE-2025-38250 | Bluetooth: hci_core: Fix use-after-free in vhci_flush() | | |
| CVE-2025-38251 | atm: clip: prevent NULL deref in clip_push() | | |
| CVE-2025-38252 | cxl/ras: Fix CPER handler device confusion | | |
| CVE-2025-38253 | HID: wacom: fix crash in wacom_aes_battery_handler() | | |
| CVE-2025-38254 | drm/amd/display: Add sanity checks for drm_edid_raw() | | |
| CVE-2025-38255 | lib/group_cpus: fix NULL pointer dereference from group_cpus_evenly() | | |
| CVE-2025-38256 | io_uring/rsrc: fix folio unpinning | | |
| CVE-2025-38257 | s390/pkey: Prevent overflow in size calculation for memdup_user() | | |
| CVE-2025-38258 | mm/damon/sysfs-schemes: free old damon_sysfs_scheme_filter->memcg_path on write | | |
| CVE-2025-38259 | ASoC: codecs: wcd9335: Fix missing free of regulator supplies | | |
| CVE-2025-38260 | btrfs: handle csum tree error with rescue=ibadroots correctly | | |
| CVE-2025-38261 | riscv: save the SR_SUM status over switches | | |
| CVE-2025-38262 | tty: serial: uartlite: register uart driver in init | | |
| CVE-2025-38263 | bcache: fix NULL pointer in cache_set_flush() | | |
| CVE-2025-38264 | nvme-tcp: sanitize request list handling | | |
| CVE-2025-38265 | serial: jsm: fix NPE during jsm_uart_port_init | | |
| CVE-2025-38266 | pinctrl: mediatek: eint: Fix invalid pointer dereference for v1 platforms | | |
| CVE-2025-38267 | ring-buffer: Do not trigger WARN_ON() due to a commit_overrun | | |
| CVE-2025-38268 | usb: typec: tcpm: move tcpm_queue_vdm_unlocked to asynchronous work | | |
| CVE-2025-38269 | btrfs: exit after state insertion failure at btrfs_convert_extent_bit() | | |
| CVE-2025-38270 | net: drv: netdevsim: don't napi_complete() from netpoll | | |
| CVE-2025-38271 | net: prevent a NULL deref in rtnl_create_link() | | |
| CVE-2025-38272 | net: dsa: b53: do not enable EEE on bcm63xx | | |
| CVE-2025-38273 | net: tipc: fix refcount warning in tipc_aead_encrypt | | |
| CVE-2025-38274 | fpga: fix potential null pointer deref in fpga_mgr_test_img_load_sgt() | | |
| CVE-2025-38275 | phy: qcom-qmp-usb: Fix an NULL vs IS_ERR() bug | | |
| CVE-2025-38276 | fs/dax: Fix "don't skip locked entries when scanning entries" | | |
| CVE-2025-38277 | mtd: nand: ecc-mxic: Fix use of uninitialized variable ret | | |
| CVE-2025-38278 | octeontx2-pf: QOS: Refactor TC_HTB_LEAF_DEL_LAST callback | | |
| CVE-2025-38279 | bpf: Do not include stack ptr register in precision backtracking bookkeeping | | |
| CVE-2025-38280 | bpf: Avoid __bpf_prog_ret0_warn when jit fails | | |
| CVE-2025-38281 | wifi: mt76: mt7996: Add NULL check in mt7996_thermal_init | | |
| CVE-2025-38282 | kernfs: Relax constraint in draining guard | | |
| CVE-2025-38283 | hisi_acc_vfio_pci: bugfix live migration function without VF device driver | | |
| CVE-2025-38284 | wifi: rtw89: pci: configure manual DAC mode via PCI config API only | | |
| CVE-2025-38285 | bpf: Fix WARN() in get_bpf_raw_tp_regs | | |
| CVE-2025-38286 | pinctrl: at91: Fix possible out-of-boundary access | | |
| CVE-2025-38287 | IB/cm: Drop lockdep assert and WARN when freeing old msg | | |
| CVE-2025-38288 | scsi: smartpqi: Fix smp_processor_id() call trace for preemptible kernels | | |
| CVE-2025-38289 | scsi: lpfc: Avoid potential ndlp use-after-free in dev_loss_tmo_callbk | | |
| CVE-2025-38290 | wifi: ath12k: fix node corruption in ar->arvifs list | | |
| CVE-2025-38291 | wifi: ath12k: Prevent sending WMI commands to firmware during firmware crash | | |
| CVE-2025-38292 | wifi: ath12k: fix invalid access to memory | | |
| CVE-2025-38293 | wifi: ath11k: fix node corruption in ar->arvifs list | | |
| CVE-2025-38294 | wifi: ath12k: fix NULL access in assign channel context handler | | |
| CVE-2025-38295 | perf/amlogic: Replace smp_processor_id() with raw_smp_processor_id() in meson_ddr_pmu_create() | | |
| CVE-2025-38296 | ACPI: platform_profile: Avoid initializing on non-ACPI platforms | | |
| CVE-2025-38297 | PM: EM: Fix potential division-by-zero error in em_compute_costs() | | |
| CVE-2025-38298 | EDAC/skx_common: Fix general protection fault | | |
| CVE-2025-38299 | ASoC: mediatek: mt8195: Set ETDM1/2 IN/OUT to COMP_DUMMY() | | |
| CVE-2025-38300 | crypto: sun8i-ce-cipher - fix error handling in sun8i_ce_cipher_prepare() | | |
| CVE-2025-38301 | nvmem: zynqmp_nvmem: unbreak driver after cleanup | | |
| CVE-2025-38302 | block: don't use submit_bio_noacct_nocheck in blk_zone_wplug_bio_work | | |
| CVE-2025-38303 | Bluetooth: eir: Fix possible crashes on eir_create_adv_data | | |
| CVE-2025-38304 | Bluetooth: Fix NULL pointer deference on eir_get_service_data | | |
| CVE-2025-38305 | ptp: remove ptp->n_vclocks check logic in ptp_vclock_in_use() | | |
| CVE-2025-38306 | fs/fhandle.c: fix a race in call of has_locked_children() | | |
| CVE-2025-38307 | ASoC: Intel: avs: Verify content returned by parse_int_array() | | |
| CVE-2025-38308 | ASoC: Intel: avs: Fix possible null-ptr-deref when initing hw | | |
| CVE-2025-38309 | drm/xe/vm: move xe_svm_init() earlier | | |
| CVE-2025-38310 | seg6: Fix validation of nexthop addresses | | |
| CVE-2025-38311 | iavf: get rid of the crit lock | | |
| CVE-2025-38312 | fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() | | |
| CVE-2025-38313 | bus: fsl-mc: fix double-free on mc_dev | | |
| CVE-2025-38314 | virtio-pci: Fix result size returned for the admin command completion | | |
| CVE-2025-38315 | Bluetooth: btintel: Check dsbr size from EFI variable | | |
| CVE-2025-38316 | wifi: mt76: mt7996: avoid NULL pointer dereference in mt7996_set_monitor() | | |
| CVE-2025-38317 | wifi: ath12k: Fix buffer overflow in debugfs | | |
| CVE-2025-38318 | perf: arm-ni: Fix missing platform_set_drvdata() | | |
| CVE-2025-38319 | drm/amd/pp: Fix potential NULL pointer dereference in atomctrl_initialize_mc_reg_table | | |
| CVE-2025-38320 | arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() | | |
| CVE-2025-38321 | smb: Log an error when close_all_cached_dirs fails | | |
| CVE-2025-38322 | perf/x86/intel: Fix crash in icl_update_topdown_event() | | |
| CVE-2025-38323 | net: atm: add lec_mutex | | |
| CVE-2025-38324 | mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). | | |
| CVE-2025-38325 | ksmbd: add free_transport ops in ksmbd connection | | |
| CVE-2025-38326 | aoe: clean device rq_list in aoedev_downdev() | | |
| CVE-2025-38327 | fgraph: Do not enable function_graph tracer when setting funcgraph-args | | |
| CVE-2025-38328 | jffs2: check jffs2_prealloc_raw_node_refs() result in few other places | | |
| CVE-2025-38329 | firmware: cs_dsp: Fix OOB memory read access in KUnit test (wmfw info) | | |
| CVE-2025-38330 | firmware: cs_dsp: Fix OOB memory read access in KUnit test (ctl cache) | | |
| CVE-2025-38331 | net: ethernet: cortina: Use TOE/TSO on all TCP | | |
| CVE-2025-38332 | scsi: lpfc: Use memcpy() for BIOS version | | |
| CVE-2025-38333 | f2fs: fix to bail out in get_new_segment() | | |
| CVE-2025-38334 | x86/sgx: Prevent attempts to reclaim poisoned pages | | |
| CVE-2025-38335 | Input: gpio-keys - fix a sleep while atomic with PREEMPT_RT | | |
| CVE-2025-38336 | ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 | | |
| CVE-2025-38337 | jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() | | |
| CVE-2025-38338 | fs/nfs/read: fix double-unlock bug in nfs_return_empty_folio() | | |
| CVE-2025-38339 | powerpc/bpf: fix JIT code size calculation of bpf trampoline | | |
| CVE-2025-38340 | firmware: cs_dsp: Fix OOB memory read access in KUnit test | | |
| CVE-2025-38341 | eth: fbnic: avoid double free when failing to DMA-map FW msg | | |
| CVE-2025-38342 | software node: Correct a OOB check in software_node_get_reference_args() | | |
| CVE-2025-38343 | wifi: mt76: mt7996: drop fragments with multicast or broadcast RA | | |
| CVE-2025-38344 | ACPICA: fix acpi parse and parseext cache leaks | | |
| CVE-2025-38345 | ACPICA: fix acpi operand cache leak in dswstate.c | | |
| CVE-2025-38346 | ftrace: Fix UAF when lookup kallsym after ftrace disabled | | |
| CVE-2025-38347 | f2fs: fix to do sanity check on ino and xnid | | |
| CVE-2025-38348 | wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() | | |
| CVE-2025-38349 | eventpoll: don't decrement ep refcount while still holding the ep mutex | | |
| CVE-2025-38350 | net/sched: Always pass notifications when child class becomes empty | | |
| CVE-2025-38351 | KVM: x86/hyper-v: Skip non-canonical addresses during PV TLB flush | | |
| CVE-2025-38352 | posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() | | |
| CVE-2025-38353 | drm/xe: Fix taking invalid lock on wedge | | |
| CVE-2025-38354 | drm/msm/gpu: Fix crash when throttling GPU immediately during boot | | |
| CVE-2025-38355 | drm/xe: Process deferred GGTT node removals on device unwind | | |
| CVE-2025-38356 | drm/xe/guc: Explicitly exit CT safe mode on unwind | | |
| CVE-2025-38357 | fuse: fix runtime warning on truncate_folio_batch_exceptionals() | | |
| CVE-2025-38358 | btrfs: fix race between async reclaim worker and close_ctree() | | |
| CVE-2025-38359 | s390/mm: Fix in_atomic() handling in do_secure_storage_access() | | |
| CVE-2025-38360 | drm/amd/display: Add more checks for DSC / HUBP ONO guarantees | | |
| CVE-2025-38361 | drm/amd/display: Check dce_hwseq before dereferencing it | | |
| CVE-2025-38362 | drm/amd/display: Add null pointer check for get_first_active_display() | | |
| CVE-2025-38363 | drm/tegra: Fix a possible null pointer dereference | | |
| CVE-2025-38364 | maple_tree: fix MA_STATE_PREALLOC flag in mas_preallocate() | | |
| CVE-2025-38365 | btrfs: fix a race between renames and directory logging | | |
| CVE-2025-38366 | LoongArch: KVM: Check validity of "num_cpu" from user space | | |
| CVE-2025-38367 | LoongArch: KVM: Avoid overflow with array index | | |
| CVE-2025-38368 | misc: tps6594-pfsm: Add NULL pointer check in tps6594_pfsm_probe() | | |
| CVE-2025-38369 | dmaengine: idxd: Check availability of workqueue allocated by idxd wq driver before using | | |
| CVE-2025-38370 | btrfs: fix failure to rebuild free space tree using multiple transactions | | |
| CVE-2025-38371 | drm/v3d: Disable interrupts before resetting the GPU | | |
| CVE-2025-38372 | RDMA/mlx5: Fix unsafe xarray access in implicit ODP handling | | |
| CVE-2025-38373 | IB/mlx5: Fix potential deadlock in MR deregistration | | |
| CVE-2025-38374 | optee: ffa: fix sleep in atomic context | | |
| CVE-2025-38375 | virtio-net: ensure the received length does not exceed allocated size | | |
| CVE-2025-38376 | usb: chipidea: udc: disconnect/reconnect from host when do suspend/resume | | |
| CVE-2025-38377 | rose: fix dangling neighbour pointers in rose_rt_device_down() | | |
| CVE-2025-38378 | HID: appletb-kbd: fix slab use-after-free bug in appletb_kbd_probe | | |
| CVE-2025-38379 | smb: client: fix warning when reconnecting channel | | |
| CVE-2025-38380 | i2c/designware: Fix an initialization issue | | |
| CVE-2025-38381 | Input: cs40l50-vibra - fix potential NULL dereference in cs40l50_upload_owt() | | |
| CVE-2025-38382 | btrfs: fix iteration of extrefs during log replay | | |
| CVE-2025-38383 | mm/vmalloc: fix data race in show_numa_info() | | |
| CVE-2025-38384 | mtd: spinand: fix memory leak of ECC engine conf | | |
| CVE-2025-38385 | net: usb: lan78xx: fix WARN in __netif_napi_del_locked on disconnect | | |
| CVE-2025-38386 | ACPICA: Refuse to evaluate a method if arguments are missing | | |
| CVE-2025-38387 | RDMA/mlx5: Initialize obj_event->obj_sub_list before xa_insert | | |
| CVE-2025-38388 | firmware: arm_ffa: Replace mutex with rwlock to avoid sleep in atomic context | | |
| CVE-2025-38389 | drm/i915/gt: Fix timeline left held on VMA alloc error | | |
| CVE-2025-38390 | firmware: arm_ffa: Fix memory leak by freeing notifier callback node | | |
| CVE-2025-38391 | usb: typec: altmodes/displayport: do not index invalid pin_assignments | | |
| CVE-2025-38392 | idpf: convert control queue mutex to a spinlock | | |
| CVE-2025-38393 | NFSv4/pNFS: Fix a race to wake on NFS_LAYOUT_DRAIN | | |
| CVE-2025-38394 | HID: appletb-kbd: fix memory corruption of input_handler_list | | |
| CVE-2025-38395 | regulator: gpio: Fix the out-of-bounds access to drvdata::gpiods | | |
| CVE-2025-38396 | fs: export anon_inode_make_secure_inode() and fix secretmem LSM bypass | | |
| CVE-2025-38397 | nvme-multipath: fix suspicious RCU usage warning | | |
| CVE-2025-38398 | spi: spi-qpic-snand: reallocate BAM transactions | | |
| CVE-2025-38399 | scsi: target: Fix NULL pointer dereference in core_scsi3_decode_spec_i_port() | | |
| CVE-2025-38400 | nfs: Clean up /proc/net/rpc/nfs when nfs_fs_proc_net_init() fails. | | |
| CVE-2025-38401 | mtk-sd: Prevent memory corruption from DMA map failure | | |
| CVE-2025-38402 | idpf: return 0 size for RSS key if not supported | | |
| CVE-2025-38403 | vsock/vmci: Clear the vmci transport packet properly when initializing it | | |
| CVE-2025-38404 | usb: typec: displayport: Fix potential deadlock | | |
| CVE-2025-38405 | nvmet: fix memory leak of bio integrity | | |
| CVE-2025-38406 | wifi: ath6kl: remove WARN on bad firmware input | | |
| CVE-2025-38407 | riscv: cpu_ops_sbi: Use static array for boot_data | | |
| CVE-2025-38408 | genirq/irq_sim: Initialize work context pointers properly | | |
| CVE-2025-38409 | drm/msm: Fix another leak in the submit error path | | |
| CVE-2025-38410 | drm/msm: Fix a fence leak in submit error path | | |
| CVE-2025-38411 | netfs: Fix double put of request | | |
| CVE-2025-38412 | platform/x86: dell-wmi-sysman: Fix WMI data block retrieval in sysfs callbacks | | |
| CVE-2025-38413 | virtio-net: xsk: rx: fix the frame's length check | | |
| CVE-2025-38414 | wifi: ath12k: fix GCC_GCC_PCIE_HOT_RST definition for WCN7850 | | |
| CVE-2025-38415 | Squashfs: check return result of sb_min_blocksize | | |
| CVE-2025-38416 | NFC: nci: uart: Set tty->disc_data only in success path | | |
| CVE-2025-38417 | ice: fix eswitch code memory leak in reset scenario | | |
| CVE-2025-38418 | remoteproc: core: Release rproc->clean_table after rproc_attach() fails | | |
| CVE-2025-38419 | remoteproc: core: Cleanup acquired resources when rproc_handle_resources() fails in rproc_attach() | | |
| CVE-2025-38420 | wifi: carl9170: do not ping device which has failed to load firmware | | |
| CVE-2025-38421 | platform/x86/amd: pmf: Use device managed allocations | | |
| CVE-2025-38422 | net: lan743x: Modify the EEPROM and OTP size for PCI1xxxx devices | | |
| CVE-2025-38423 | ASoC: codecs: wcd9375: Fix double free of regulator supplies | | |
| CVE-2025-38424 | perf: Fix sample vs do_exit() | | |
| CVE-2025-38425 | i2c: tegra: check msg length in SMBUS block read | | |
| CVE-2025-38426 | drm/amdgpu: Add basic validation for RAS header | | |
| CVE-2025-38427 | video: screen_info: Relocate framebuffers behind PCI bridges | | |
| CVE-2025-38428 | Input: ims-pcu - check record size in ims_pcu_flash_firmware() | | |
| CVE-2025-38429 | bus: mhi: ep: Update read pointer only after buffer is written | | |
| CVE-2025-38430 | nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request | | |
| CVE-2025-38431 | smb: client: fix regression with native SMB symlinks | | |
| CVE-2025-38432 | net: netpoll: Initialize UDP checksum field before checksumming | | |
| CVE-2025-38433 | riscv: fix runtime constant support for nommu kernels | | |
| CVE-2025-38434 | Revert "riscv: Define TASK_SIZE_MAX for __access_ok()" | | |
| CVE-2025-38435 | riscv: vector: Fix context save/restore with xtheadvector | | |
| CVE-2025-38436 | drm/scheduler: signal scheduled fence when kill job | | |
| CVE-2025-38437 | ksmbd: fix potential use-after-free in oplock/lease break ack | | |
| CVE-2025-38438 | ASoC: SOF: Intel: hda: Use devm_kstrdup() to avoid memleak. | | |
| CVE-2025-38439 | bnxt_en: Set DMA unmap len correctly for XDP_REDIRECT | | |
| CVE-2025-38440 | net/mlx5e: Fix race between DIM disable and net_dim() | | |
| CVE-2025-38441 | netfilter: flowtable: account for Ethernet header in nf_flow_pppoe_proto() | | |
| CVE-2025-38442 | block: reject bs > ps block devices when THP is disabled | | |
| CVE-2025-38443 | nbd: fix uaf in nbd_genl_connect() error path | | |
| CVE-2025-38444 | raid10: cleanup memleak at raid10_make_request | | |
| CVE-2025-38445 | md/raid1: Fix stack memory use after return in raid1_reshape | | |
| CVE-2025-38446 | clk: imx: Fix an out-of-bounds access in dispmix_csr_clk_dev_data | | |
| CVE-2025-38447 | mm/rmap: fix potential out-of-bounds page table access during batched unmap | | |
| CVE-2025-38448 | usb: gadget: u_serial: Fix race condition in TTY wakeup | | |
| CVE-2025-38449 | drm/gem: Acquire references on GEM handles for framebuffers | | |
| CVE-2025-38450 | wifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_sta_set_decap_offload() | | |
| CVE-2025-38451 | md/md-bitmap: fix GPF in bitmap_get_stats() | | |
| CVE-2025-38452 | net: ethernet: rtsn: Fix a null pointer dereference in rtsn_probe() | | |
| CVE-2025-38453 | io_uring/msg_ring: ensure io_kiocb freeing is deferred for RCU | | |
| CVE-2025-38454 | ALSA: ad1816a: Fix potential NULL pointer deref in snd_card_ad1816a_pnp() | | |
| CVE-2025-38455 | KVM: SVM: Reject SEV{-ES} intra host migration if vCPU creation is in-flight | | |
| CVE-2025-38456 | ipmi:msghandler: Fix potential memory corruption in ipmi_create_user() | | |
| CVE-2025-38457 | net/sched: Abort __tc_modify_qdisc if parent class does not exist | | |
| CVE-2025-38458 | atm: clip: Fix NULL pointer dereference in vcc_sendmsg() | | |
| CVE-2025-38459 | atm: clip: Fix infinite recursive call of clip_push(). | | |
| CVE-2025-38460 | atm: clip: Fix potential null-ptr-deref in to_atmarpd(). | | |
| CVE-2025-38461 | vsock: Fix transport_* TOCTOU | | |
| CVE-2025-38462 | vsock: Fix transport_{g2h,h2g} TOCTOU | | |
| CVE-2025-38463 | tcp: Correct signedness in skb remaining space calculation | | |
| CVE-2025-38464 | tipc: Fix use-after-free in tipc_conn_close(). | | |
| CVE-2025-38465 | netlink: Fix wraparounds of sk->sk_rmem_alloc. | | |
| CVE-2025-38466 | perf: Revert to requiring CAP_SYS_ADMIN for uprobes | | |
| CVE-2025-38467 | drm/exynos: exynos7_drm_decon: add vblank check in IRQ handling | | |
| CVE-2025-38468 | net/sched: Return NULL when htb_lookup_leaf encounters an empty rbtree | | |
| CVE-2025-38469 | KVM: x86/xen: Fix cleanup logic in emulation of Xen schedop poll hypercalls | | |
| CVE-2025-38470 | net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime | | |
| CVE-2025-38471 | tls: always refresh the queue when reading sock | | |
| CVE-2025-38472 | netfilter: nf_conntrack: fix crash due to removal of uninitialised entry | | |
| CVE-2025-38473 | Bluetooth: Fix null-ptr-deref in l2cap_sock_resume_cb() | | |
| CVE-2025-38474 | usb: net: sierra: check for no status endpoint | | |
| CVE-2025-38475 | smc: Fix various oops due to inet_sock type confusion. | | |
| CVE-2025-38476 | rpl: Fix use-after-free in rpl_do_srh_inline(). | | |
| CVE-2025-38477 | net/sched: sch_qfq: Fix race condition on qfq_aggregate | | |
| CVE-2025-38478 | comedi: Fix initialization of data for instructions that write to subdevice | | |
| CVE-2025-38479 | dmaengine: fsl-edma: free irq correctly in remove path | | |
| CVE-2025-38480 | comedi: Fix use of uninitialized data in insn_rw_emulate_bits() | | |
| CVE-2025-38481 | comedi: Fail COMEDI_INSNLIST ioctl if n_insns is too large | | |
| CVE-2025-38482 | comedi: das6402: Fix bit shift out of bounds | | |
| CVE-2025-38483 | comedi: das16m1: Fix bit shift out of bounds | | |
| CVE-2025-38484 | iio: backend: fix out-of-bound write | | |
| CVE-2025-38485 | iio: accel: fxls8962af: Fix use after free in fxls8962af_fifo_flush | | |
| CVE-2025-38486 | soundwire: Revert "soundwire: qcom: Add set_channel_map api support" | | |
| CVE-2025-38487 | soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled | | |
| CVE-2025-38488 | smb: client: fix use-after-free in crypt_message when using async crypto | | |
| CVE-2025-38489 | s390/bpf: Fix bpf_arch_text_poke() with new_addr == NULL again | | |
| CVE-2025-38490 | net: libwx: remove duplicate page_pool_put_full_page() | | |
| CVE-2025-38491 | mptcp: make fallback action and fallback decision atomic | | |
| CVE-2025-38492 | netfs: Fix race between cache write completion and ALL_QUEUED being set | | |
| CVE-2025-38493 | tracing/osnoise: Fix crash in timerlat_dump_stack() | | |
| CVE-2025-38494 | HID: core: do not bypass hid_hw_raw_request | | |
| CVE-2025-38495 | HID: core: ensure the allocated report buffer can contain the reserved report ID | | |
| CVE-2025-38496 | dm-bufio: fix sched in atomic context | | |
| CVE-2025-38497 | usb: gadget: configfs: Fix OOB read on empty string write | | |
| CVE-2025-38498 | do_change_type(): refuse to operate on unmounted/not ours mounts | | |
| CVE-2025-38499 | clone_private_mnt(): make sure that caller has CAP_SYS_ADMIN in the right userns | | |
| CVE-2025-38500 | xfrm: interface: fix use-after-free after changing collect_md xfrm interface | | |
| CVE-2025-38501 | ksmbd: limit repeated connections from clients with the same IP | | |
| CVE-2025-38502 | bpf: Fix oob access in cgroup local storage | | |
| CVE-2025-38503 | btrfs: fix assertion when building free space tree | | |
| CVE-2025-38504 | io_uring/zcrx: fix pp destruction warnings | | |
| CVE-2025-38505 | wifi: mwifiex: discard erroneous disassoc frames on STA interface | | |
| CVE-2025-38506 | KVM: Allow CPU to reschedule while setting per-page memory attributes | | |
| CVE-2025-38507 | HID: nintendo: avoid bluetooth suspend/resume stalls | | |
| CVE-2025-38508 | x86/sev: Use TSC_FACTOR for Secure TSC frequency calculation | | |
| CVE-2025-38509 | wifi: mac80211: reject VHT opmode for unsupported channel widths | | |
| CVE-2025-38510 | kasan: remove kasan_find_vm_area() to prevent possible deadlock | | |
| CVE-2025-38511 | drm/xe/pf: Clear all LMTT pages on alloc | | |
| CVE-2025-38512 | wifi: prevent A-MSDU attacks in mesh networks | | |
| CVE-2025-38513 | wifi: zd1211rw: Fix potential NULL pointer dereference in zd_mac_tx_to_dev() | | |
| CVE-2025-38514 | rxrpc: Fix oops due to non-existence of prealloc backlog struct | | |
| CVE-2025-38515 | drm/sched: Increment job count before swapping tail spsc queue | | |
| CVE-2025-38516 | pinctrl: qcom: msm: mark certain pins as invalid for interrupts | | |
| CVE-2025-38517 | lib/alloc_tag: do not acquire non-existent lock in alloc_tag_top_users() | | |
| CVE-2025-38518 | x86/CPU/AMD: Disable INVLPGB on Zen2 | | |
| CVE-2025-38519 | mm/damon: fix divide by zero in damon_get_intervals_score() | | |
| CVE-2025-38520 | drm/amdkfd: Don't call mmput from MMU notifier callback | | |
| CVE-2025-38521 | drm/imagination: Fix kernel crash when hard resetting the GPU | | |
| CVE-2025-38522 | sched/ext: Prevent update_locked_rq() calls with NULL rq | | |
| CVE-2025-38523 | cifs: Fix the smbd_response slab to allow usercopy | | |
| CVE-2025-38524 | rxrpc: Fix recv-recv race of completed call | | |
| CVE-2025-38525 | rxrpc: Fix irq-disabled in local_bh_enable() | | |
| CVE-2025-38526 | ice: add NULL check in eswitch lag check | | |
| CVE-2025-38527 | smb: client: fix use-after-free in cifs_oplock_break | | |
| CVE-2025-38528 | bpf: Reject %p% format string in bprintf-like helpers | | |
| CVE-2025-38529 | comedi: aio_iiro_16: Fix bit shift out of bounds | | |
| CVE-2025-38530 | comedi: pcl812: Fix bit shift out of bounds | | |
| CVE-2025-38531 | iio: common: st_sensors: Fix use of uninitialize device structs | | |
| CVE-2025-38532 | net: libwx: properly reset Rx ring descriptor | | |
| CVE-2025-38533 | net: libwx: fix the using of Rx buffer DMA | | |
| CVE-2025-38534 | netfs: Fix copy-to-cache so that it performs collection with ceph+fscache | | |
| CVE-2025-38535 | phy: tegra: xusb: Fix unbalanced regulator disable in UTMI PHY mode | | |
| CVE-2025-38536 | net: airoha: fix potential use-after-free in airoha_npu_get() | | |
| CVE-2025-38537 | net: phy: Don't register LEDs for genphy | | |
| CVE-2025-38538 | dmaengine: nbpfaxi: Fix memory corruption in probe() | | |
| CVE-2025-38539 | tracing: Add down_write(trace_event_sem) when adding trace event | | |
| CVE-2025-38540 | HID: quirks: Add quirk for 2 Chicony Electronics HP 5MP Cameras | | |
| CVE-2025-38541 | wifi: mt76: mt7925: Fix null-ptr-deref in mt7925_thermal_init() | | |
| CVE-2025-38542 | net: appletalk: Fix device refcount leak in atrtr_create() | | |
| CVE-2025-38543 | drm/tegra: nvdec: Fix dma_alloc_coherent error check | | |
| CVE-2025-38544 | rxrpc: Fix bug due to prealloc collision | | |
| CVE-2025-38545 | net: ethernet: ti: am65-cpsw-nuss: Fix skb size by accounting for skb_shared_info | | |
| CVE-2025-38546 | atm: clip: Fix memory leak of struct clip_vcc. | | |
| CVE-2025-38547 | iio: adc: axp20x_adc: Add missing sentinel to AXP717 ADC channel maps | | |
| CVE-2025-38548 | hwmon: (corsair-cpro) Validate the size of the received input buffer | | |
| CVE-2025-38549 | efivarfs: Fix memory leak of efivarfs_fs_info in fs_context error paths | | |
| CVE-2025-38550 | ipv6: mcast: Delay put pmc->idev in mld_del_delrec() | | |
| CVE-2025-38551 | virtio-net: fix recursived rtnl_lock() during probe() | | |
| CVE-2025-38552 | mptcp: plug races between subflow fail and subflow creation | | |
| CVE-2025-38553 | net/sched: Restrict conditions for adding duplicating netems to qdisc tree | | |
| CVE-2025-38554 | mm: fix a UAF when vma->mm is freed after vma->vm_refcnt got dropped | | |
| CVE-2025-38555 | usb: gadget : fix use-after-free in composite_dev_cleanup() | | |
| CVE-2025-38556 | HID: core: Harden s32ton() against conversion to 0 bits | | |
| CVE-2025-38557 | HID: apple: validate feature-report field count to prevent NULL pointer dereference | | |
| CVE-2025-38558 | usb: gadget: uvc: Initialize frame-based format color matching descriptor | | |
| CVE-2025-38559 | platform/x86/intel/pmt: fix a crashlog NULL pointer access | | |
| CVE-2025-38560 | x86/sev: Evict cache lines during SNP memory validation | | |
| CVE-2025-38561 | ksmbd: fix Preauh_HashValue race condition | | |
| CVE-2025-38562 | ksmbd: fix null pointer dereference error in generate_encryptionkey | | |
| CVE-2025-38563 | perf/core: Prevent VMA split of buffer mappings | | |
| CVE-2025-38564 | perf/core: Handle buffer mapping fail correctly in perf_mmap() | | |
| CVE-2025-38565 | perf/core: Exit early on perf_mmap() fail | | |
| CVE-2025-38566 | sunrpc: fix handling of server side tls alerts | | |
| CVE-2025-38567 | nfsd: avoid ref leak in nfsd_open_local_fh() | | |
| CVE-2025-38568 | net/sched: mqprio: fix stack out-of-bounds write in tc entry parsing | | |
| CVE-2025-38569 | benet: fix BUG when creating VFs | | |
| CVE-2025-38570 | eth: fbnic: unlink NAPIs from queues on error to open | | |
| CVE-2025-38571 | sunrpc: fix client side handling of tls alerts | | |
| CVE-2025-38572 | ipv6: reject malicious packets in ipv6_gso_segment() | | |
| CVE-2025-38573 | spi: cs42l43: Property entry should be a null-terminated array | | |
| CVE-2025-38574 | pptp: ensure minimal skb length in pptp_xmit() | | |
| CVE-2025-38575 | ksmbd: use aead_request_free to match aead_request_alloc | | |
| CVE-2025-38576 | powerpc/eeh: Make EEH driver device hotplug safe | | |
| CVE-2025-38577 | f2fs: fix to avoid panic in f2fs_evict_inode | | |
| CVE-2025-38578 | f2fs: fix to avoid UAF in f2fs_sync_inode_meta() | | |
| CVE-2025-38579 | f2fs: fix KMSAN uninit-value in extent_info usage | | |
| CVE-2025-38580 | ext4: fix inode use after free in ext4_end_io_rsv_work() | | |
| CVE-2025-38581 | crypto: ccp - Fix crash when rebind ccp device for ccp.ko | | |
| CVE-2025-38582 | RDMA/hns: Fix double destruction of rsv_qp | | |
| CVE-2025-38583 | clk: xilinx: vcu: unregister pll_post only if registered correctly | | |
| CVE-2025-38584 | padata: Fix pd UAF once and for all | | |
| CVE-2025-38585 | staging: media: atomisp: Fix stack buffer overflow in gmin_get_var_int() | | |
| CVE-2025-38586 | bpf, arm64: Fix fp initialization for exception boundary | | |
| CVE-2025-38587 | ipv6: fix possible infinite loop in fib6_info_uses_dev() | | |
| CVE-2025-38588 | ipv6: prevent infinite loop in rt6_nlmsg_size() | | |
| CVE-2025-38589 | neighbour: Fix null-ptr-deref in neigh_flush_dev(). | | |
| CVE-2025-38590 | net/mlx5e: Remove skb secpath if xfrm state is not found | | |
| CVE-2025-38591 | bpf: Reject narrower access to pointer ctx fields | | |
| CVE-2025-38592 | Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv | | |
| CVE-2025-38593 | Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' | | |
| CVE-2025-38594 | iommu/vt-d: Fix UAF on sva unbind with pending IOPFs | | |
| CVE-2025-38595 | xen: fix UAF in dmabuf_exp_from_pages() | | |
| CVE-2025-38596 | drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code | | |
| CVE-2025-38597 | drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port | | |
| CVE-2025-38598 | drm/amdgpu: fix use-after-free in amdgpu_userq_suspend+0x51a/0x5a0 | | |
| CVE-2025-38599 | wifi: mt76: mt7996: Fix possible OOB access in mt7996_tx() | | |
| CVE-2025-38600 | wifi: mt76: mt7925: fix off by one in mt7925_mcu_hw_scan() | | |
| CVE-2025-38601 | wifi: ath11k: clear initialized flag for deinit-ed srng lists | | |
| CVE-2025-38602 | iwlwifi: Add missing check for alloc_ordered_workqueue | | |
| CVE-2025-38603 | drm/amdgpu: fix slab-use-after-free in amdgpu_userq_mgr_fini+0x70c | | |
| CVE-2025-38604 | wifi: rtl818x: Kill URBs before clearing tx status queue | | |
| CVE-2025-38605 | wifi: ath12k: Pass ab pointer directly to ath12k_dp_tx_get_encap_type() | | |
| CVE-2025-38606 | wifi: ath12k: Avoid accessing uninitialized arvif->ar during beacon miss | | |
| CVE-2025-38607 | bpf: handle jset (if a & b ...) as a jump in CFG computation | | |
| CVE-2025-38608 | bpf, ktls: Fix data corruption when using bpf_msg_pop_data() in ktls | | |
| CVE-2025-38609 | PM / devfreq: Check governor before using governor->name | | |
| CVE-2025-38610 | powercap: dtpm_cpu: Fix NULL pointer dereference in get_pd_power_uw() | | |
| CVE-2025-38611 | vmci: Prevent the dispatching of uninitialized payloads | | |
| CVE-2025-38612 | staging: fbtft: fix potential memory leak in fbtft_framebuffer_alloc() | | |
| CVE-2025-38613 | staging: gpib: fix unset padding field copy back to userspace | | |
| CVE-2025-38614 | eventpoll: Fix semi-unbounded recursion | | |
| CVE-2025-38615 | fs/ntfs3: cancle set bad inode after removing name fails | | |
| CVE-2025-38616 | tls: handle data disappearing from under the TLS ULP | | |
| CVE-2025-38617 | net/packet: fix a race in packet_set_ring() and packet_notifier() | | |
| CVE-2025-38618 | vsock: Do not allow binding to VMADDR_PORT_ANY | | |
| CVE-2025-38619 | media: ti: j721e-csi2rx: fix list_del corruption | | |
| CVE-2025-38620 | zloop: fix KASAN use-after-free of tag set | | |
| CVE-2025-38621 | md: make rdev_addable usable for rcu mode | | |
| CVE-2025-38622 | net: drop UFO packets in udp_rcv_segment() | | |
| CVE-2025-38623 | PCI: pnv_php: Fix surprise plug detection and recovery | | |
| CVE-2025-38624 | PCI: pnv_php: Clean up allocated IRQs on unplug | | |
| CVE-2025-38625 | vfio/pds: Fix missing detach_ioas op | | |
| CVE-2025-38626 | f2fs: fix to trigger foreground gc during f2fs_map_blocks() in lfs mode | | |
| CVE-2025-38627 | f2fs: compress: fix UAF of f2fs_inode_info in f2fs_free_dic | | |
| CVE-2025-38628 | vdpa/mlx5: Fix release of uninitialized resources on error path | | |
| CVE-2025-38629 | ALSA: usb: scarlett2: Fix missing NULL check | | |
| CVE-2025-38630 | fbdev: imxfb: Check fb_add_videomode to prevent null-ptr-deref | | |
| CVE-2025-38631 | clk: imx95-blk-ctl: Fix synchronous abort | | |
| CVE-2025-38632 | pinmux: fix race causing mux_owner NULL with active mux_usecount | | |
| CVE-2025-38633 | clk: spacemit: mark K1 pll1_d8 as critical | | |
| CVE-2025-38634 | power: supply: cpcap-charger: Fix null check for power_supply_get_by_name | | |
| CVE-2025-38635 | clk: davinci: Add NULL check in davinci_lpsc_clk_register() | | |
| CVE-2025-38636 | rv: Use strings in da monitors tracepoints | | |
| CVE-2025-38637 | net_sched: skbprio: Remove overly strict queue assertions | | |
| CVE-2025-38638 | ipv6: add a retry logic in net6_rt_notify() | | |
| CVE-2025-38639 | netfilter: xt_nfacct: don't assume acct name is null-terminated | | |
| CVE-2025-38640 | bpf: Disable migration in nf_hook_run_bpf(). | | |
| CVE-2025-38641 | Bluetooth: btusb: Fix potential NULL dereference on kmalloc failure | | |
| CVE-2025-38642 | wifi: mac80211: fix WARN_ON for monitor mode on some devices | | |
| CVE-2025-38643 | wifi: cfg80211: Add missing lock in cfg80211_check_and_end_cac() | | |
| CVE-2025-38644 | wifi: mac80211: reject TDLS operations when station is not associated | | |
| CVE-2025-38645 | net/mlx5: Check device memory pointer before usage | | |
| CVE-2025-38646 | wifi: rtw89: avoid NULL dereference when RX problematic packet on unsupported 6 GHz band | | |
| CVE-2025-38647 | wifi: rtw89: sar: drop lockdep assertion in rtw89_set_sar_from_acpi | | |
| CVE-2025-38648 | spi: stm32: Check for cfg availability in stm32_spi_probe | | |
| CVE-2025-38649 | arm64: dts: qcom: qcs615: fix a crash issue caused by infinite loop for Coresight | | |
| CVE-2025-38650 | hfsplus: remove mutex_lock check in hfsplus_free_extents | | |
| CVE-2025-38651 | landlock: Fix warning from KUnit tests | | |
| CVE-2025-38652 | f2fs: fix to avoid out-of-boundary access in devs.path | | |
| CVE-2025-38653 | proc: use the same treatment to check proc_lseek as ones for proc_read_iter et.al | | |
| CVE-2025-38654 | pinctrl: canaan: k230: Fix order of DT parse and pinctrl register | | |
| CVE-2025-38655 | pinctrl: canaan: k230: add NULL check in DT parse | | |
| CVE-2025-38656 | wifi: iwlwifi: Fix error code in iwl_op_mode_dvm_start() | | |
| CVE-2025-38657 | wifi: rtw89: mcc: prevent shift wrapping in rtw89_core_mlsr_switch() | | |
| CVE-2025-38658 | nvmet: pci-epf: Do not complete commands twice if nvmet_req_init() fails | | |
| CVE-2025-38659 | gfs2: No more self recovery | | |
| CVE-2025-38660 | [ceph] parse_longname(): strrchr() expects NUL-terminated string | | |
| CVE-2025-38661 | platform/x86: alienware-wmi-wmax: Fix `dmi_system_id` array | | |
| CVE-2025-38662 | ASoC: mediatek: mt8365-dai-i2s: pass correct size to mt8365_dai_set_priv | | |
| CVE-2025-38663 | nilfs2: reject invalid file types when reading inodes | | |
| CVE-2025-38664 | ice: Fix a null pointer dereference in ice_copy_and_init_pkg() | | |
| CVE-2025-38665 | can: netlink: can_changelink(): fix NULL pointer deref of struct can_priv::do_set_mode | | |
| CVE-2025-38666 | net: appletalk: Fix use-after-free in AARP proxy probe | | |
| CVE-2025-38667 | iio: fix potential out-of-bound write | | |
| CVE-2025-38668 | regulator: core: fix NULL dereference on unbind due to stale coupling data | | |
| CVE-2025-38669 | Revert "drm/gem-shmem: Use dma_buf from GEM object instance" | | |
| CVE-2025-38670 | arm64/entry: Mask DAIF in cpu_switch_to(), call_on_irq_stack() | | |
| CVE-2025-38671 | i2c: qup: jump out of the loop in case of timeout | | |
| CVE-2025-38672 | Revert "drm/gem-dma: Use dma_buf from GEM object instance" | | |
| CVE-2025-38673 | Revert "drm/gem-framebuffer: Use dma_buf from GEM object instance" | | |
| CVE-2025-38674 | Revert "drm/prime: Use dma_buf from GEM object instance" | | |
| CVE-2025-38675 | xfrm: state: initialize state_ptrs earlier in xfrm_state_find | | |
| CVE-2025-38676 | iommu/amd: Avoid stack buffer overflow from kernel cmdline | | |
| CVE-2025-38738 | SupportAssist for Home PCs Installer exe version(s) 4.8.2.29006 and prior, contain(s) an Incorrect P... | | |
| CVE-2025-38739 | Dell Digital Delivery, versions prior to 5.6.1.0, contains an Insufficiently Protected Credentials v... | | |
| CVE-2025-38741 | Dell Enterprise SONiC OS, version 4.5.0, contains a cryptographic key vulnerability in SSH. An unaut... | | |
| CVE-2025-38742 | Dell iDRAC Service Module (iSM), versions prior to 6.0.3.0, contains an Incorrect Permission Assignm... | | |
| CVE-2025-38743 | Dell iDRAC Service Module (iSM), versions prior to 6.0.3.0, contains a Buffer Access with Incorrect ... | | |
| CVE-2025-38745 | Dell OpenManage Enterprise, versions 3.10, 4.0, 4.1, and 4.2, contains an Insertion of Sensitive Inf... | | |
| CVE-2025-38746 | Dell SupportAssist OS Recovery, versions prior to 5.5.14.0, contains an Exposure of Sensitive Inform... | | |
| CVE-2025-38747 | Dell SupportAssist OS Recovery, versions prior to 5.5.14.0, contain a Creation of Temporary File Wit... | |