Analysis for 11 cve's

Author: Rohit Keshri

vulns/CVE-2025-38352.yml

@@ -0,0 +1,17 @@
+reachability: Local
+memory_corruption: no
+bug_class: Race
+impact: DoS
+privileges_required: no
+notes:
+A race problem was observed between handle_posix_cpu_timers() and posix_cpu_timer_del() in kernel/time/posix-cpu-timers.c
+
+If an exiting non-autoreaping task has already passed exit_notify() and
+calls handle_posix_cpu_timers() from IRQ, it can be reaped by its parent
+or debugger right after unlock_task_sighand().
+
+If a concurrent posix_cpu_timer_del() runs at that moment, it won't be
+able to detect timer->it.cpu.firing != 0: cpu_timer_task_rcu() and/or
+lock_task_sighand() will fail.
+author: RedHat
+

vulns/CVE-2025-38514.yml

@@ -0,0 +1,12 @@
+reachability: Network
+memory_corruption: no
+bug_class: Oops
+impact: DoS
+privileges_required: no
+notes:
+If an AF_RXRPC service socket is opened and bound, but calls are
+preallocated, then rxrpc_alloc_incoming_call() will oops because the
+rxrpc_backlog struct doesn't get allocated until the first preallocation is
+made.
+author: RedHat
+

vulns/CVE-2025-38559.yml

@@ -0,0 +1,13 @@
+reachability: Local
+memory_corruption: no
+bug_class: Null Pointer Dereference
+impact: DoS
+privileges_required: no
+notes:
+Usage of the intel_pmt_read() for binary sysfs, requires a pcidev. The
+current use of the endpoint value is only valid for telemetry endpoint
+usage.
+Without the ep, the crashlog usage causes the following NULL pointer
+exception:
+author: RedHat
+

vulns/CVE-2025-38589.yml

@@ -0,0 +1,9 @@
+reachability: Local
+memory_corruption: no
+bug_class: Null Pointer Dereference
+impact: DoS
+privileges_required: no
+notes:
+A null-ptr-deref in neigh_flush_dev(). 
+author: RedHat
+

vulns/CVE-2025-38606.yml

@@ -0,0 +1,9 @@
+reachability: Local
+memory_corruption: no
+bug_class: Null Pointer Dereference
+impact: DoS
+privileges_required: no
+notes:
+An uninitialized data access (arvif->ar) during beacon miss lead to null pointer
+author: RedHat
+

vulns/CVE-2025-39717.yml

@@ -0,0 +1,22 @@
+reachability: Local
+memory_corruption: no
+bug_class: UAF
+impact: DoS
+privileges_required: no
+notes:
+As described in commit 7a54947e727b ('Merge patch series "fs: allow
+changing idmappings"'), open_tree_attr(2) was necessary in order to
+allow for a detached mount to be created and have its idmappings changed
+without the risk of any racing threads operating on it. For this reason,
+mount_setattr(2) still does not allow for id-mappings to be changed.
+
+However, there was a bug in commit 2462651ffa76 which allowed users to bypass this restriction by calling
+open_tree_attr(2) without OPEN_TREE_CLONE.
+
+can_idmap_mount() prevented this bug from allowing an attached
+mountpoint's id-mapping from being modified (thanks to an is_anon_ns()
+check), but this still allows for detached (but visible) mounts to have
+their be id-mapping changed. This risks the same UAF and locking issues
+as described in the merge commit, and was likely unintentional.
+author: RedHat
+

vulns/CVE-2025-39727.yml

@@ -0,0 +1,14 @@
+reachability: Local
+memory_corruption: yes
+bug_class: Buffer Overflow
+impact: DoS / Info Leak
+privileges_required: no
+notes:
+In setup_swap_map(), we only ensure badpages are in range (0, last_page].
+As maxpages might be < last_page, setup_clusters() will encounter a buffer
+overflow when a badpage is >= maxpages.
+
+Only call inc_cluster_info_page() for badpage which is < maxpages to fix
+the issue.
+author: RedHat
+

vulns/CVE-2025-39742.yml

@@ -0,0 +1,12 @@
+reachability: Local
+memory_corruption: no
+bug_class: Divide-by-zero
+impact: DoS
+privileges_required: no
+notes:
+The function divides number of online CPUs by num_core_siblings, and
+later checks the divider by zero. This implies a possibility to get
+and divide-by-zero runtime error. Fix it by moving the check prior to
+division. This also helps to save one indentation level.
+author: RedHat
+

vulns/CVE-2025-39757.yml

@@ -0,0 +1,12 @@
+reachability: Local
+memory_corruption: no
+bug_class: OOM (Read)
+impact: Info Leak
+privileges_required: no
+notes:
+UAC3 class segment descriptors need to be verified whether their sizes
+match with the declared lengths and whether they fit with the
+allocated buffer sizes, too.  Otherwise malicious firmware may lead to
+the unexpected OOB accesses.
+author: RedHat
+

vulns/CVE-2025-39761.yml

@@ -0,0 +1,15 @@
+reachability: Local
+memory_corruption: no
+bug_class: OOB (Read)
+impact: DoS
+privileges_required: no
+notes:
+Currently, TID is not decremented before peer cleanup, during error
+handling path of ath12k_dp_rx_peer_frag_setup(). This could lead to
+out-of-bounds access in peer->rx_tid[].
+
+Hence, add a decrement operation for TID, before peer cleanup to
+ensures proper cleanup and prevents out-of-bounds access issues when
+the RX peer frag setup fails.
+author: RedHat
+