0.0
CVE-2025-38599 - wifi: mt76: mt7996: Fix possible OOB access in mt7996_tx()
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: Fix possible OOB access in mt7996_tx() Fis possible Out-Of-Boundary access in mt7996_tx routine if link_id is set to IEEE80211_LINK_UNSPECIFIED
0.0
CVE-2025-38598 - drm/amdgpu: fix use-after-free in amdgpu_userq_suspend+0x51a/0x5a0
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free in amdgpu_userq_suspend+0x51a/0x5a0 [ +0.000020] BUG: KASAN: slab-use-after-free in amdgpu_userq_suspend+0x51a/0x5a0 [amdgpu] [ +0.000817] Read of size 8 at addr ffff88812eec8c58 by task amd_pci_uβ¦
0.0
CVE-2025-38597 - drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port
In the Linux kernel, the following vulnerability has been resolved: drm/rockchip: vop2: fail cleanly if missing a primary plane for a video-port Each window of a vop2 is usable by a specific set of video ports, so while binding the vop2, we look through the list of available windows trying to finβ¦
0.0
CVE-2025-38596 - drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code
In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Fix UAF in panthor_gem_create_with_handle() debugfs code The object is potentially already gone after the drm_gem_object_put(). In general the object should be fully constructed before calling drm_gem_handle_create()β¦
0.0
CVE-2025-38595 - xen: fix UAF in dmabuf_exp_from_pages()
In the Linux kernel, the following vulnerability has been resolved: xen: fix UAF in dmabuf_exp_from_pages() [dma_buf_fd() fixes; no preferences regarding the tree it goes through - up to xen folks] As soon as we'd inserted a file reference into descriptor table, another thread could close it. Tβ¦
0.0
CVE-2025-38594 - iommu/vt-d: Fix UAF on sva unbind with pending IOPFs
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix UAF on sva unbind with pending IOPFs Commit 17fce9d2336d ("iommu/vt-d: Put iopf enablement in domain attach path") disables IOPF on device by removing the device from its IOMMU's IOPF queue when the last IOPF-capaβ¦
0.0
CVE-2025-38593 - Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()'
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: fix double free in 'hci_discovery_filter_clear()' Function 'hci_discovery_filter_clear()' frees 'uuids' array and then sets it to NULL. There is a tiny chance of the following race: 'hci_cmd_sync_work()' 'β¦
0.0
CVE-2025-38592 - Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_devcd_dump: fix out-of-bounds via dev_coredumpv Currently both dev_coredumpv and skb_put_data in hci_devcd_dump use hdev->dump.head. However, dev_coredumpv can free the buffer. From dev_coredumpm_timeout documentatβ¦
0.0
CVE-2025-38591 - bpf: Reject narrower access to pointer ctx fields
In the Linux kernel, the following vulnerability has been resolved: bpf: Reject narrower access to pointer ctx fields The following BPF program, simplified from a syzkaller repro, causes a kernel warning: r0 = *(u8 *)(r1 + 169); exit; With pointer field sk being at offset 168 in __sk_buβ¦
0.0
CVE-2025-38590 - net/mlx5e: Remove skb secpath if xfrm state is not found
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Remove skb secpath if xfrm state is not found Hardware returns a unique identifier for a decrypted packet's xfrm state, this state is looked up in an xarray. However, the state might have been freed by the time of thisβ¦