[Git][security-tracker-team/security-tracker][master] Merge Linux CVEs from kernel-sec

Tue Oct 28 16:17:22 GMT 2025


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e61c96d8 by Salvatore Bonaccorso at 2025-10-28T17:17:11+01:00
Merge Linux CVEs from kernel-sec

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -1,3 +1,217 @@
+CVE-2025-40082 [hfsplus: fix slab-out-of-bounds read in hfsplus_uni2asc()]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/bea3e1d4467bcf292c8e54f080353d556d355e26 (6.18-rc1)
+CVE-2025-40081 [perf: arm_spe: Prevent overflow in PERF_IDX2OFF()]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/a29fea30dd93da16652930162b177941abd8c75e (6.18-rc1)
+CVE-2025-40080 [nbd: restrict sockets to TCP and UDP]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/9f7c02e031570e8291a63162c6c046dc15ff85b0 (6.18-rc1)
+CVE-2025-40079 [riscv, bpf: Sign extend struct ops return values properly]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/fd2e08128944a7679e753f920e9eda72057e427c (6.18-rc1)
+CVE-2025-40078 [bpf: Explicitly check accesses to bpf_sock_addr]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/6fabca2fc94d33cdf7ec102058983b086293395f (6.18-rc1)
+CVE-2025-40077 [f2fs: fix to avoid overflow while left shift operation]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/0fe1c6bec54ea68ed8c987b3890f2296364e77bb (6.18-rc1)
+CVE-2025-40076 [PCI: rcar-host: Pass proper IRQ domain to generic_handle_domain_irq()]
+	- linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/d3fee10e40a938331e2aae34348691136db31304 (6.18-rc1)
+CVE-2025-40075 [tcp_metrics: use dst_dev_net_rcu()]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/50c127a69cd6285300931853b352a1918cfa180f (6.18-rc1)
+CVE-2025-40074 [ipv4: start using dst_dev_rcu()]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/6ad8de3cefdb6ffa6708b21c567df0dbf82c43a8 (6.18-rc1)
+CVE-2025-40073 [drm/msm: Do not validate SSPP when it is not ready]
+	- linux <unfixed>
+	[trixie] - linux <not-affected> (Vulnerable code not present)
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/6fc616723bb5fd4289d7422fa013da062b44ae55 (6.18-rc1)
+CVE-2025-40072 [fanotify: Validate the return value of mnt_ns_from_dentry() before dereferencing]
+	- linux <unfixed>
+	[trixie] - linux <not-affected> (Vulnerable code not present)
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/62e59ffe8787b5550ccff70c30b6f6be6a3ac3dd (6.18-rc1)
+CVE-2025-40071 [tty: n_gsm: Don't block input queue by waiting MSC]
+	- linux <unfixed>
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/3cf0b3c243e56bc43be560617416c1d9f301f44c (6.18-rc1)
+CVE-2025-40070 [pps: fix warning in pps_register_cdev when register device fail]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/b0531cdba5029f897da5156815e3bdafe1e9b88d (6.18-rc1)
+CVE-2025-40069 [drm/msm: Fix obj leak in VM_BIND error path]
+	- linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/278f8904434aa96055e793936b5977c010549e28 (6.18-rc1)
+CVE-2025-40068 [fs: ntfs3: Fix integer overflow in run_unpack()]
+	- linux <unfixed>
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/736fc7bf5f68f6b74a0925b7e072c571838657d2 (6.18-rc1)
+CVE-2025-40067 [fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/0dc7117da8f92dd5fe077d712a756eccbe377d40 (6.18-rc1)
+CVE-2025-40066 [wifi: mt76: mt7996: Check phy before init msta_link in mt7996_mac_sta_add_links()]
+	- linux <unfixed>
+	[trixie] - linux <not-affected> (Vulnerable code not present)
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/fe5fffadc6c77c56f122cf1042dc830f59e904bf (6.18-rc1)
+CVE-2025-40065 [RISC-V: KVM: Write hgatp register with valid mode bits]
+	- linux <unfixed>
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/2b351e3d04be9e1533f26c3464f1e44a5beace30 (6.18-rc1)
+CVE-2025-40064 [smc: Fix use-after-free in __pnet_find_base_ndev().]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/3d3466878afd8d43ec0ca2facfbc7f03e40d0f79 (6.18-rc1)
+CVE-2025-40063 [crypto: comp - Use same definition of context alloc and free ops]
+	- linux <unfixed>
+	[trixie] - linux <not-affected> (Vulnerable code not present)
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/f75f66683ded09f7135aef2e763c245a07c8271a (6.18-rc1)
+CVE-2025-40062 [crypto: hisilicon/qm - set NULL to qm->debug.qm_diff_regs]
+	- linux <unfixed>
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/f0cafb02de883b3b413d34eb079c9680782a9cc1 (6.18-rc1)
+CVE-2025-40061 [RDMA/rxe: Fix race in do_task() when draining]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/8ca7eada62fcfabf6ec1dc7468941e791c1d8729 (6.18-rc1)
+CVE-2025-40060 [coresight: trbe: Return NULL pointer for allocation failures]
+	- linux <unfixed>
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/8a55c161f7f9c1aa1c70611b39830d51c83ef36d (6.18-rc1)
+CVE-2025-40059 [coresight: Fix incorrect handling for return value of devm_kzalloc]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/70714eb7243eaf333d23501d4c7bdd9daf011c01 (6.18-rc1)
+CVE-2025-40058 [iommu/vt-d: Disallow dirty tracking if incoherent page walk]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/57f55048e564dedd8a4546d018e29d6bbfff0a7e (6.18-rc1)
+CVE-2025-40057 [ptp: Add a upper bound on max_vclocks]
+	- linux <unfixed>
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/e9f35294e18da82162004a2f35976e7031aaf7f9 (6.18-rc1)
+CVE-2025-40056 [vhost: vringh: Fix copy_to_iter return value check]
+	- linux <unfixed>
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/439263376c2c4e126cac0d07e4987568de4eaba5 (6.18-rc1)
+CVE-2025-40055 [ocfs2: fix double free in user_cluster_connect()]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/8f45f089337d924db24397f55697cda0e6960516 (6.18-rc1)
+CVE-2025-40054 [f2fs: fix UAF issue in f2fs_merge_page_bio()]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/edf7e9040fc52c922db947f9c6c36f07377c52ea (6.18-rc1)
+CVE-2025-40053 [net: dlink: handle copy_thresh allocation failure]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/8169a6011c5fecc6cb1c3654c541c567d3318de8 (6.18-rc1)
+CVE-2025-40052 [smb: client: fix crypto buffers in non-linear memory]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/998a67b954680f26f3734040aeeed08642d49721 (6.18-rc1)
+CVE-2025-40051 [vhost: vringh: Modify the return value check]
+	- linux <unfixed>
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/82a8d0fda55b35361ee7f35b54fa2b66d7847d2b (6.18-rc1)
+CVE-2025-40050 [bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer]
+	- linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/34904582b502a86fdb4d7984b12cacd2faabbe0d (6.18-rc1)
+CVE-2025-40049 [Squashfs: fix uninit-value in squashfs_get_parent]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/74058c0a9fc8b2b4d5f4a0ef7ee2cfa66a9e49cf (6.18-rc1)
+CVE-2025-40048 [uio_hv_generic: Let userspace take care of interrupt mask]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/b15b7d2a1b09ef5428a8db260251897405a19496 (6.18-rc1)
+CVE-2025-40047 [io_uring/waitid: always prune wait queue entry in io_waitid_wait()]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/2f8229d53d984c6a05b71ac9e9583d4354e3b91f (6.18-rc1)
+CVE-2025-40046 [io_uring/zcrx: fix overshooting recv limit]
+	- linux <unfixed>
+	[trixie] - linux <not-affected> (Vulnerable code not present)
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/09cfd3c52ea76f43b3cb15e570aeddf633d65e80 (6.18-rc1)
+CVE-2025-40045 [ASoC: codecs: wcd937x: set the comp soundwire port correctly]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/66a940b1bf48a7095162688332d725ba160154eb (6.18-rc1)
+CVE-2025-40044 [fs: udf: fix OOB read in lengthAllocDescs handling]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/3bd5e45c2ce30e239d596becd5db720f7eb83c99 (6.18-rc1)
+CVE-2025-40043 [net: nfc: nci: Add parameter validation for packet data]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/9c328f54741bd5465ca1dc717c84c04242fac2e1 (6.18-rc1)
+CVE-2025-40042 [tracing: Fix race condition in kprobe initialization causing NULL pointer dereference]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/9cf9aa7b0acfde7545c1a1d912576e9bab28dc6f (6.18-rc1)
+CVE-2025-40041 [LoongArch: BPF: Sign-extend struct ops return values properly]
+	- linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/8b51b11b3d81c1ed48a52f87da9256d737b723a0 (6.18-rc1)
+CVE-2025-40040 [mm/ksm: fix flag-dropping behavior in ksm_madvise]
+	- linux <unfixed>
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/f04aad36a07cc17b7a5d5b9a2d386ce6fae63e93 (6.18-rc1)
+CVE-2025-40039 [ksmbd: Fix race condition in RPC handle list access]
+	- linux <unfixed>
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/305853cce379407090a73b38c5de5ba748893aee (6.18-rc1)
+CVE-2025-40038 [KVM: SVM: Skip fastpath emulation on VM-Exit if next RIP isn't valid]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/0910dd7c9ad45a2605c45fd2bf3d1bcac087687c (6.18-rc1)
+CVE-2025-40037 [fbdev: simplefb: Fix use after free in simplefb_detach_genpds()]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/da1bb9135213744e7ec398826c8f2e843de4fb94 (6.18-rc1)
+CVE-2025-40036 [misc: fastrpc: fix possible map leak in fastrpc_put_args]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/da1ba64176e0138f2bfa96f9e43e8c3640d01e1e (6.18-rc1)
+CVE-2025-40035 [Input: uinput - zero-initialize uinput_ff_upload_compat to avoid info leak]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/d3366a04770eea807f2826cbdb96934dd8c9bf79 (6.18-rc1)
+CVE-2025-40034 [PCI/AER: Avoid NULL pointer dereference in aer_ratelimit()]
+	- linux <unfixed>
+	[trixie] - linux <not-affected> (Vulnerable code not present)
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/deb2f228388ff3a9d0623e3b59a053e9235c341d (6.18-rc1)
+CVE-2025-40033 [remoteproc: pru: Fix potential NULL pointer dereference in pru_rproc_set_ctable()]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/d41e075b077142bb9ae5df40b9ddf9fd7821a811 (6.18-rc1)
+CVE-2025-40032 [PCI: endpoint: pci-epf-test: Add NULL check for DMA channels before release]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/85afa9ea122dd9d4a2ead104a951d318975dcd25 (6.18-rc1)
+CVE-2025-40031 [tee: fix register_shm_helper()]
+	- linux <unfixed>
+	[bookworm] - linux <not-affected> (Vulnerable code not present)
+	[bullseye] - linux <not-affected> (Vulnerable code not present)
+	NOTE: https://git.kernel.org/linus/d5cf5b37064b1699d946e8b7ab4ac7d7d101814c (6.18-rc1)
+CVE-2025-40030 [pinctrl: check the return value of pinmux_ops::get_function_name()]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/4002ee98c022d671ecc1e4a84029e9ae7d8a5603 (6.18-rc1)
+CVE-2025-40029 [bus: fsl-mc: Check return value of platform_get_resource()]
+	- linux <unfixed>
+	NOTE: https://git.kernel.org/linus/25f526507b8ccc6ac3a43bc094d09b1f9b0b90ae (6.18-rc1)
 CVE-2025-40028 [binder: fix double-free in dbitmap]
 	- linux <unfixed>
 	[bookworm] - linux <not-affected> (Vulnerable code not present)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e61c96d8816731558f8ae15145b508222f170720

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e61c96d8816731558f8ae15145b508222f170720
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20251028/9de81e26/attachment-0001.htm>
