Main Vulnerability Database SB2025082107

SB2025082107 - Ubuntu update for linux-hwe-6.14

Published: August 21, 2025 Updated: November 14, 2025

Security Bulletin ID SB2025082107

Severity

Low

Patch available

YES

Number of vulnerabilities 59

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 59 secuirty vulnerabilities.

1) NULL pointer dereference (CVE-ID: CVE-2025-38095)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the dma_resv_add_fence() function in drivers/dma-buf/dma-resv.c. A local user can perform a denial of service (DoS) attack.

2) Improper locking (CVE-ID: CVE-2025-38094)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the macb_update_stats() function in drivers/net/ethernet/cadence/macb_main.c. A local user can perform a denial of service (DoS) attack.

3) Use-after-free (CVE-ID: CVE-2025-38056)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the hda_generic_machine_select() function in sound/soc/sof/intel/hda.c. A local user can escalate privileges on the system.

4) Improper locking (CVE-ID: CVE-2025-38028)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the nfs_local_open_fh() function in fs/nfs/localio.c. A local user can perform a denial of service (DoS) attack.

5) Buffer overflow (CVE-ID: CVE-2025-38027)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the max20086_regulators_register() and max20086_parse_regulators_dt() functions in drivers/regulator/max20086-regulator.c. A local user can perform a denial of service (DoS) attack.

6) NULL pointer dereference (CVE-ID: CVE-2025-38025)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the ad7616_sw_mode_setup() and ad7606b_sw_mode_setup() functions in drivers/iio/adc/ad7606.c. A local user can perform a denial of service (DoS) attack.

7) Use-after-free (CVE-ID: CVE-2025-38024)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the rxe_cq_from_init() function in drivers/infiniband/sw/rxe/rxe_cq.c. A local user can escalate privileges on the system.

8) Use-after-free (CVE-ID: CVE-2025-38023)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the nfs4_alloc_unlockdata() function in fs/nfs/nfs4proc.c. A local user can escalate privileges on the system.

9) Use-after-free (CVE-ID: CVE-2025-38022)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the ib_device_notify_register() and ib_register_device() functions in drivers/infiniband/core/device.c. A local user can escalate privileges on the system.

10) NULL pointer dereference (CVE-ID: CVE-2025-38021)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the dcn401_program_pipe() function in drivers/gpu/drm/amd/display/dc/hwss/dcn401/dcn401_hwseq.c. A local user can perform a denial of service (DoS) attack.

11) NULL pointer dereference (CVE-ID: CVE-2025-38020)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the mlx5e_fix_uplink_rep_features() function in drivers/net/ethernet/mellanox/mlx5/core/en_main.c. A local user can perform a denial of service (DoS) attack.

12) Use-after-free (CVE-ID: CVE-2025-38019)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the mlxsw_sp_neigh_rif_made_sync() function in drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c. A local user can escalate privileges on the system.

13) NULL pointer dereference (CVE-ID: CVE-2025-38018)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the tls_strp_read_copy() function in net/tls/tls_strp.c. A local user can perform a denial of service (DoS) attack.

14) Resource management error (CVE-ID: CVE-2025-38016)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the dispatch_hid_bpf_device_event(), dispatch_hid_bpf_raw_requests() and dispatch_hid_bpf_output_report() functions in drivers/hid/bpf/hid_bpf_dispatch.c. A local user can perform a denial of service (DoS) attack.

15) Memory leak (CVE-ID: CVE-2025-38015)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the idxd_alloc() function in drivers/dma/idxd/init.c. A local user can perform a denial of service (DoS) attack.

16) Input validation error (CVE-ID: CVE-2025-38014)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the f2fs_new_node_page() function in fs/f2fs/node.c. A local user can perform a denial of service (DoS) attack.

17) Out-of-bounds read (CVE-ID: CVE-2025-38013)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the ieee80211_register_hw() function in net/mac80211/main.c. A local user can perform a denial of service (DoS) attack.

18) Use of uninitialized resource (CVE-ID: CVE-2025-38012)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the mctp_dump_addrinfo() function in net/mctp/device.c. A local user can perform a denial of service (DoS) attack.

19) Memory leak (CVE-ID: CVE-2025-38011)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the amdgpu_unmap_static_csa() function in drivers/gpu/drm/amd/amdgpu/amdgpu_csa.c. A local user can perform a denial of service (DoS) attack.

20) Race condition (CVE-ID: CVE-2025-38010)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a race condition within the DATA0_VAL_PD BIT(), DECLARE_BITMAP(), tegra186_utmi_bias_pad_power_on(), tegra186_utmi_bias_pad_power_off(), tegra186_utmi_pad_power_on() and tegra186_utmi_pad_power_down() functions in drivers/phy/tegra/xusb-tegra186.c. A local user can escalate privileges on the system.

21) Improper resource shutdown or release (CVE-ID: CVE-2025-38009)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to failure to properly release resources within the mt76_dma_cleanup() function in drivers/net/wireless/mediatek/mt76/dma.c. A local user can perform a denial of service (DoS) attack.

22) Input validation error (CVE-ID: CVE-2025-38008)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the kvm_xen_vcpu_set_attr() function in arch/x86/kvm/xen.c. A local user can perform a denial of service (DoS) attack.

23) NULL pointer dereference (CVE-ID: CVE-2025-38007)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the uclogic_input_configured() function in drivers/hid/hid-uclogic-core.c. A local user can perform a denial of service (DoS) attack.

24) Input validation error (CVE-ID: CVE-2025-38006)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the mctp_dump_addrinfo() function in net/mctp/device.c. A local user can perform a denial of service (DoS) attack.

25) Improper locking (CVE-ID: CVE-2025-38005)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the udma_check_tx_completion() function in drivers/dma/ti/k3-udma.c. A local user can perform a denial of service (DoS) attack.

26) Improper locking (CVE-ID: CVE-2025-38002)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the napi_show_fdinfo() and io_uring_show_fdinfo() functions in io_uring/fdinfo.c. A local user can perform a denial of service (DoS) attack.

27) Improper locking (CVE-ID: CVE-2025-37999)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the fs/erofs/fileio.c. A local user can perform a denial of service (DoS) attack.

28) Incorrect calculation (CVE-ID: CVE-2025-37998)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect calculation within the output_userspace() function in net/openvswitch/actions.c. A local user can perform a denial of service (DoS) attack.

29) Use of uninitialized resource (CVE-ID: CVE-2025-37996)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the user_mem_abort() function in arch/arm64/kvm/mmu.c. A local user can perform a denial of service (DoS) attack.

30) Improper error handling (CVE-ID: CVE-2025-37995)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper error handling within the module_kobj_release() function in kernel/params.c. A local user can perform a denial of service (DoS) attack.

31) NULL pointer dereference (CVE-ID: CVE-2025-37994)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the ucsi_displayport_remove_partner() function in drivers/usb/typec/ucsi/displayport.c. A local user can perform a denial of service (DoS) attack.

32) Improper locking (CVE-ID: CVE-2025-37993)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the m_can_class_allocate_dev() function in drivers/net/can/m_can/m_can.c. A local user can perform a denial of service (DoS) attack.

33) NULL pointer dereference (CVE-ID: CVE-2025-37992)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the pie_change() function in net/sched/sch_pie.c, within the hhf_change() function in net/sched/sch_hhf.c, within the fq_pie_change() function in net/sched/sch_fq_pie.c, within the fq_codel_change() function in net/sched/sch_fq_codel.c, within the fq_change() function in net/sched/sch_fq.c, within the codel_change() function in net/sched/sch_codel.c. A local user can perform a denial of service (DoS) attack.

34) Buffer overflow (CVE-ID: CVE-2025-37973)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the cfg80211_defrag_mle() function in net/wireless/scan.c. A local user can perform a denial of service (DoS) attack.

35) NULL pointer dereference (CVE-ID: CVE-2025-37972)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the mtk_pmic_keys_lp_reset_setup() function in drivers/input/keyboard/mtk-pmic-keys.c. A local user can perform a denial of service (DoS) attack.

36) NULL pointer dereference (CVE-ID: CVE-2025-37971)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the bcm2835_mmal_probe() function in drivers/staging/vc04_services/bcm2835-camera/bcm2835-camera.c. A local user can perform a denial of service (DoS) attack.

37) Improper locking (CVE-ID: CVE-2025-37970)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the st_lsm6dsx_read_fifo() function in drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c. A local user can perform a denial of service (DoS) attack.

38) Infinite loop (CVE-ID: CVE-2025-37969)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within the st_lsm6dsx_read_tagged_fifo() function in drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_buffer.c. A local user can perform a denial of service (DoS) attack.

39) Improper locking (CVE-ID: CVE-2025-37968)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the opt3001_irq() function in drivers/iio/light/opt3001.c. A local user can perform a denial of service (DoS) attack.

40) Improper locking (CVE-ID: CVE-2025-37967)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the ucsi_set_drvdata() function in drivers/usb/typec/ucsi/ucsi.c, within the ucsi_displayport_enter(), ucsi_displayport_exit() and ucsi_displayport_vdm() functions in drivers/usb/typec/ucsi/displayport.c. A local user can perform a denial of service (DoS) attack.

41) Input validation error (CVE-ID: CVE-2025-37966)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the set_tagged_addr_ctrl() function in arch/riscv/kernel/process.c. A local user can perform a denial of service (DoS) attack.

42) Buffer overflow (CVE-ID: CVE-2025-37965)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the populate_dml_surface_cfg_from_plane_state(), get_scaler_data_for_plane() and populate_dml_plane_cfg_from_plane_state() functions in drivers/gpu/drm/amd/display/dc/dml2/dml2_translation_helper.c. A local user can perform a denial of service (DoS) attack.

43) Resource management error (CVE-ID: CVE-2025-37964)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the switch_mm_irqs_off() and should_flush_tlb() functions in arch/x86/mm/tlb.c. A local user can perform a denial of service (DoS) attack.

44) Input validation error (CVE-ID: CVE-2025-37963)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the build_bhb_mitigation() function in arch/arm64/net/bpf_jit_comp.c. A local user can perform a denial of service (DoS) attack.

45) Memory leak (CVE-ID: CVE-2025-37962)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the parse_lease_state() function in fs/smb/server/oplock.c. A local user can perform a denial of service (DoS) attack.

46) Use of uninitialized resource (CVE-ID: CVE-2025-37961)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to use of uninitialized resource within the __mtu_check_toobig_v6(), do_output_route4() and __ip_vs_get_out_rt() functions in net/netfilter/ipvs/ip_vs_xmit.c. A local user can perform a denial of service (DoS) attack.

47) Resource management error (CVE-ID: CVE-2025-37960)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to resource management error within the memblock_double_array() function in mm/memblock.c. A local user can perform a denial of service (DoS) attack.

48) Input validation error (CVE-ID: CVE-2025-37959)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the skb_do_redirect() function in net/core/filter.c. A local user can perform a denial of service (DoS) attack.

49) Improper locking (CVE-ID: CVE-2025-37958)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the __split_huge_pmd_locked() and split_huge_pmd_locked() functions in mm/huge_memory.c. A local user can perform a denial of service (DoS) attack.

50) Use-after-free (CVE-ID: CVE-2025-37957)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the shutdown_interception() function in arch/x86/kvm/svm/svm.c, within the kvm_smm_changed() function in arch/x86/kvm/smm.c. A local user can escalate privileges on the system.

51) Buffer overflow (CVE-ID: CVE-2025-37956)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory corruption within the smb2_get_name() function in fs/smb/server/smb2pdu.c. A local user can perform a denial of service (DoS) attack.

52) Memory leak (CVE-ID: CVE-2025-37955)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the virtnet_xsk_pool_enable() and virtqueue_dma_unmap_single_attrs() functions in drivers/net/virtio_net.c. A local user can perform a denial of service (DoS) attack.

53) Memory leak (CVE-ID: CVE-2025-37954)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the find_or_create_cached_dir() function in fs/smb/client/cached_dir.c. A local user can perform a denial of service (DoS) attack.

54) Use-after-free (CVE-ID: CVE-2025-37952)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a use-after-free error within the __close_file_table_ids() function in fs/smb/server/vfs_cache.c. A local user can escalate privileges on the system.

55) Memory leak (CVE-ID: CVE-2025-37951)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to memory leak within the v3d_gpu_reset_for_timeout(), v3d_cl_job_timedout() and v3d_csd_job_timedout() functions in drivers/gpu/drm/v3d/v3d_sched.c. A local user can perform a denial of service (DoS) attack.

56) NULL pointer dereference (CVE-ID: CVE-2025-37950)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to NULL pointer dereference within the ocfs2_grab_folios() function in fs/ocfs2/alloc.c. A local user can perform a denial of service (DoS) attack.

57) Improper locking (CVE-ID: CVE-2025-37949)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper locking within the xs_suspend_exit(), xs_send(), xs_wait_for_reply(), xenbus_dev_request_and_reply() and xs_talkv() functions in drivers/xen/xenbus/xenbus_xs.c, within the xenbus_dev_queue_reply() function in drivers/xen/xenbus/xenbus_dev_frontend.c, within the process_msg() and process_writes() functions in drivers/xen/xenbus/xenbus_comms.c. A local user can perform a denial of service (DoS) attack.

58) Input validation error (CVE-ID: CVE-2025-37948)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation within the pr_fmt(), build_plt(), build_epilogue() and bpf_int_jit_compile() functions in arch/arm64/net/bpf_jit_comp.c, within the this_cpu_set_vectors() function in arch/arm64/kernel/proton-pack.c. A local user can perform a denial of service (DoS) attack.

59) Out-of-bounds read (CVE-ID: CVE-2025-37947)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to an out-of-bounds read error within the ksmbd_vfs_stream_write() function in fs/smb/server/vfs.c. A local user can perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

https://ubuntu.com/security/notices/USN-7699-2

SB2025082107 - Ubuntu update for linux-hwe-6.14

Breakdown by Severity

Description

Remediation

References

Please verify you're human