SB2025102390 - Ubuntu update for linux
Published: October 23, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 59 secuirty vulnerabilities.
1) Out-of-bounds read (CVE-ID: CVE-2025-40114)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the veml6075_read_uv_direct() function in drivers/iio/light/veml6075.c. A local user can perform a denial of service (DoS) attack.
2) Out-of-bounds read (CVE-ID: CVE-2025-39735)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the ea_get() function in fs/jfs/xattr.c. A local user can perform a denial of service (DoS) attack.
3) Resource management error (CVE-ID: CVE-2025-39728)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the samsung_clk_init() function in drivers/clk/samsung/clk.c. A local user can perform a denial of service (DoS) attack.
4) Memory leak (CVE-ID: CVE-2025-39682)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the decrypt_skb() and tls_sw_recvmsg() functions in net/tls/tls_sw.c. A local user can perform a denial of service (DoS) attack.
5) Improper locking (CVE-ID: CVE-2025-38637)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the skbprio_enqueue() and skbprio_dequeue() functions in net/sched/sch_skbprio.c. A local user can perform a denial of service (DoS) attack.
6) Use-after-free (CVE-ID: CVE-2025-38575)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the kfree() function in fs/smb/server/auth.c. A local user can escalate privileges on the system.
7) NULL pointer dereference (CVE-ID: CVE-2025-38240)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the mtk_dp_parse_capabilities() and mtk_dp_wait_hpd_asserted() functions in drivers/gpu/drm/mediatek/mtk_dp.c. A local user can perform a denial of service (DoS) attack.
8) NULL pointer dereference (CVE-ID: CVE-2025-38152)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the rproc_shutdown() function in drivers/remoteproc/remoteproc_core.c. A local user can perform a denial of service (DoS) attack.
9) Division by zero (CVE-ID: CVE-2025-37937)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to a division by zero error within the dib8000_set_dds() function in drivers/media/dvb-frontends/dib8000.c. A local user can perform a denial of service (DoS) attack.
10) Integer underflow (CVE-ID: CVE-2025-23138)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to integer underflow within the watch_queue_set_size() function in kernel/watch_queue.c. A local user can execute arbitrary code.
11) NULL pointer dereference (CVE-ID: CVE-2025-23136)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the int3402_thermal_probe() function in drivers/thermal/intel/int340x_thermal/int3402_thermal.c. A local user can perform a denial of service (DoS) attack.
12) Use-after-free (CVE-ID: CVE-2025-22097)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the vkms_init() and vkms_destroy() functions in drivers/gpu/drm/vkms/vkms_drv.c. A local user can escalate privileges on the system.
13) Resource management error (CVE-ID: CVE-2025-22095)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the brcm_pcie_add_bus() function in drivers/pci/controller/pcie-brcmstb.c. A local user can perform a denial of service (DoS) attack.
14) Resource management error (CVE-ID: CVE-2025-22090)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the copy_page_range() function in mm/memory.c, within the vm_area_dup() function in kernel/fork.c, within the get_pat_info() and untrack_pfn() functions in arch/x86/mm/pat/memtype.c. A local user can perform a denial of service (DoS) attack.
15) NULL pointer dereference (CVE-ID: CVE-2025-22089)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the ib_setup_device_attrs() function in drivers/infiniband/core/sysfs.c, within the rdma_init_coredev() function in drivers/infiniband/core/device.c. A local user can perform a denial of service (DoS) attack.
16) NULL pointer dereference (CVE-ID: CVE-2025-22086)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the ntohl() function in drivers/infiniband/hw/mlx5/cq.c. A local user can perform a denial of service (DoS) attack.
17) Memory leak (CVE-ID: CVE-2025-22083)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the vhost_scsi_set_endpoint(), target_undepend_item() and vhost_scsi_flush() functions in drivers/vhost/scsi.c. A local user can perform a denial of service (DoS) attack.
18) Integer overflow (CVE-ID: CVE-2025-22081)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to integer overflow within the index_hdr_check() function in fs/ntfs3/index.c. A local user can execute arbitrary code.
19) Integer overflow (CVE-ID: CVE-2025-22080)
The vulnerability allows a local user to execute arbitrary code.
The vulnerability exists due to integer overflow within the fs/ntfs3/ntfs.h. A local user can execute arbitrary code.
20) Out-of-bounds read (CVE-ID: CVE-2025-22079)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the __ocfs2_find_path() function in fs/ocfs2/alloc.c. A local user can perform a denial of service (DoS) attack.
21) Improper locking (CVE-ID: CVE-2025-22075)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the rtnl_vfinfo_size() function in net/core/rtnetlink.c. A local user can perform a denial of service (DoS) attack.
22) Memory leak (CVE-ID: CVE-2025-22073)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the spufs_fill_dir() function in arch/powerpc/platforms/cell/spufs/inode.c. A local user can perform a denial of service (DoS) attack.
23) Memory leak (CVE-ID: CVE-2025-22072)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak in arch/powerpc/platforms/cell/spufs/inode.c. A local user can perform a denial of service (DoS) attack.
24) Memory leak (CVE-ID: CVE-2025-22071)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the spufs_create_context() function in arch/powerpc/platforms/cell/spufs/inode.c. A local user can perform a denial of service (DoS) attack.
25) NULL pointer dereference (CVE-ID: CVE-2025-22070)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the v9fs_vfs_mkdir_dotl() function in fs/9p/vfs_inode_dotl.c. A local user can perform a denial of service (DoS) attack.
26) Use-after-free (CVE-ID: CVE-2025-22068)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the ublk_abort_queue() and ublk_abort_requests() functions in drivers/block/ublk_drv.c. A local user can escalate privileges on the system.
27) NULL pointer dereference (CVE-ID: CVE-2025-22066)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the imx_card_probe() function in sound/soc/fsl/imx-card.c. A local user can perform a denial of service (DoS) attack.
28) NULL pointer dereference (CVE-ID: CVE-2025-22065)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the idpf_shutdown() function in drivers/net/ethernet/intel/idpf/idpf_main.c. A local user can perform a denial of service (DoS) attack.
29) Incorrect calculation (CVE-ID: CVE-2025-22064)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect calculation within the nf_tables_updchain() function in net/netfilter/nf_tables_api.c. A local user can perform a denial of service (DoS) attack.
30) NULL pointer dereference (CVE-ID: CVE-2025-22063)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the calipso_sock_getattr() and calipso_sock_setattr() functions in net/ipv6/calipso.c. A local user can perform a denial of service (DoS) attack.
31) NULL pointer dereference (CVE-ID: CVE-2025-22062)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the proc_sctp_do_auth() and proc_sctp_do_udp_port() functions in net/sctp/sysctl.c. A local user can perform a denial of service (DoS) attack.
32) Use-after-free (CVE-ID: CVE-2025-22060)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the mvpp2_prs_hw_write(), mvpp2_prs_init_from_hw(), mvpp2_prs_flow_find(), mvpp2_prs_mac_drop_all_set(), mvpp2_prs_mac_promisc_set(), mvpp2_prs_dsa_tag_set(), mvpp2_prs_dsa_tag_ethertype_set(), mvpp2_prs_vlan_find(), mvpp2_prs_vlan_add(), mvpp2_prs_double_vlan_find(), mvpp2_prs_double_vlan_add(), mvpp2_prs_mac_init(), mvpp2_prs_vlan_init(), mvpp2_prs_vid_range_find(), mvpp2_prs_vid_entry_add(), mvpp2_prs_vid_entry_remove(), mvpp2_prs_vid_remove_all(), mvpp2_prs_vid_disable_filtering(), mvpp2_prs_vid_enable_filtering(), mvpp2_prs_default_init(), mvpp2_prs_mac_da_range_find(), mvpp2_prs_mac_da_accept(), mvpp2_prs_mac_del_all(), mvpp2_prs_tag_mode_set(), mvpp2_prs_add_flow(), mvpp2_prs_def_flow() and mvpp2_prs_hits() functions in drivers/net/ethernet/marvell/mvpp2/mvpp2_prs.c, within the mvpp2_probe() function in drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c. A local user can escalate privileges on the system.
33) Memory leak (CVE-ID: CVE-2025-22058)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the udp_skb_has_head_state(), udp_rmem_release(), EXPORT_SYMBOL_GPL() and first_packet_length() functions in net/ipv4/udp.c. A local user can perform a denial of service (DoS) attack.
34) Use-after-free (CVE-ID: CVE-2025-22057)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the dst_count_dec() function in net/core/dst.c. A local user can escalate privileges on the system.
35) Resource management error (CVE-ID: CVE-2025-22056)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the nft_tunnel_obj_geneve_init() and nft_tunnel_opts_dump() functions in net/netfilter/nft_tunnel.c. A local user can perform a denial of service (DoS) attack.
36) Out-of-bounds read (CVE-ID: CVE-2025-22055)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the nft_tunnel_obj_erspan_init() function in net/netfilter/nft_tunnel.c. A local user can perform a denial of service (DoS) attack.
37) NULL pointer dereference (CVE-ID: CVE-2025-22054)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the com20020pci_probe() function in drivers/net/arcnet/com20020-pci.c. A local user can perform a denial of service (DoS) attack.
38) Improper locking (CVE-ID: CVE-2025-22053)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper locking within the veth_pool_store() function in drivers/net/ethernet/ibm/ibmveth.c. A local user can perform a denial of service (DoS) attack.
39) NULL pointer dereference (CVE-ID: CVE-2025-22050)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the drivers/net/usb/usbnet.c. A local user can perform a denial of service (DoS) attack.
40) Input validation error (CVE-ID: CVE-2025-22047)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the __apply_microcode_amd() function in arch/x86/kernel/cpu/microcode/amd.c. A local user can perform a denial of service (DoS) attack.
41) Input validation error (CVE-ID: CVE-2025-22045)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the arch/x86/include/asm/tlbflush.h. A local user can perform a denial of service (DoS) attack.
42) Resource management error (CVE-ID: CVE-2025-22044)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the acpi_nfit_ctl() function in drivers/acpi/nfit/core.c. A local user can perform a denial of service (DoS) attack.
43) Input validation error (CVE-ID: CVE-2025-22042)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the parse_lease_state() function in fs/smb/server/oplock.c. A local user can perform a denial of service (DoS) attack.
44) Use-after-free (CVE-ID: CVE-2025-22041)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the ksmbd_sessions_deregister() function in fs/smb/server/mgmt/user_session.c. A local user can escalate privileges on the system.
45) Use-after-free (CVE-ID: CVE-2025-22040)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the smb2_session_logoff() function in fs/smb/server/smb2pdu.c, within the ksmbd_expire_session(), ksmbd_sessions_deregister(), ksmbd_user_session_put() and __session_create() functions in fs/smb/server/mgmt/user_session.c, within the ksmbd_get_encryption_key() function in fs/smb/server/auth.c. A local user can escalate privileges on the system.
46) Out-of-bounds read (CVE-ID: CVE-2025-22039)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the smb_inherit_dacl() and smb_check_perm_dacl() functions in fs/smb/server/smbacl.c. A local user can perform a denial of service (DoS) attack.
47) Out-of-bounds read (CVE-ID: CVE-2025-22038)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the sid_to_id() function in fs/smb/server/smbacl.c. A local user can perform a denial of service (DoS) attack.
48) Use-after-free (CVE-ID: CVE-2025-22036)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the exfat_get_block() function in fs/exfat/inode.c. A local user can escalate privileges on the system.
49) Use-after-free (CVE-ID: CVE-2025-22035)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the wakeup_trace_open() function in kernel/trace/trace_sched_wakeup.c, within the irqsoff_trace_open() function in kernel/trace/trace_irqsoff.c, within the graph_trace_close() function in kernel/trace/trace_functions_graph.c. A local user can escalate privileges on the system.
50) NULL pointer dereference (CVE-ID: CVE-2025-22033)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the do_compat_alignment_fixup() function in arch/arm64/kernel/compat_alignment.c. A local user can perform a denial of service (DoS) attack.
51) Resource management error (CVE-ID: CVE-2025-22028)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the vimc_streamer_pipeline_terminate() function in drivers/media/test-drivers/vimc/vimc-streamer.c. A local user can perform a denial of service (DoS) attack.
52) NULL pointer dereference (CVE-ID: CVE-2025-22027)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the streamzap_disconnect() function in drivers/media/rc/streamzap.c. A local user can perform a denial of service (DoS) attack.
53) Memory leak (CVE-ID: CVE-2025-22025)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to memory leak within the nfs4_alloc_open_stateid() and nfsd_break_one_deleg() functions in fs/nfsd/nfs4state.c. A local user can perform a denial of service (DoS) attack.
54) Resource management error (CVE-ID: CVE-2025-22021)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to resource management error within the nf_sk_lookup_slow_v6() function in net/ipv6/netfilter/nf_socket_ipv6.c. A local user can perform a denial of service (DoS) attack.
55) Use-after-free (CVE-ID: CVE-2025-22020)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to a use-after-free error within the rtsx_usb_ms_drv_remove() function in drivers/memstick/host/rtsx_usb_ms.c. A local user can escalate privileges on the system.
56) Improper privilege management (CVE-ID: CVE-2025-22019)
The vulnerability allows a local user to read and manipulate data.
The vulnerability exists due to improperly imposed permissions within the bch2_ioctl_subvolume_destroy() function in fs/bcachefs/fs-ioctl.c. A local user can read and manipulate data.
57) NULL pointer dereference (CVE-ID: CVE-2025-22018)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to NULL pointer dereference within the MPOA_cache_impos_rcvd() function in net/atm/mpc.c. A local user can perform a denial of service (DoS) attack.
58) Input validation error (CVE-ID: CVE-2024-58092)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation within the check_for_legacy_methods() function in fs/nfsd/nfs4recover.c. A local user can perform a denial of service (DoS) attack.
59) Out-of-bounds read (CVE-ID: CVE-2023-53034)
The vulnerability allows a local user to perform a denial of service (DoS) attack.
The vulnerability exists due to an out-of-bounds read error within the switchtec_ntb_mw_set_trans() function in drivers/ntb/hw/mscc/ntb_hw_switchtec.c. A local user can perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.