CVE-2021-47402

In the Linux kernel, the following vulnerability has been resolved: net: sched: flower: protect fl_walk() with rcu Patch that refactored fl_walk() to use idr_for_each_entry_continue_ul()also removed rcu protection of individual filters which causes followinguse-after-free when filter is deleted con...

CVE-2021-47571

In the Linux kernel, the following vulnerability has been resolved: staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() The free_rtllib() function frees the "dev" pointer so there is useafter free on the next line. Re-arrange things to avoid that.

CVE-2022-20105

In MM service, there is a possible out of bounds write due to a stack-based buffer overflow. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: DTV03330460; Issue ID: DTV03330460.

CVE-2022-48656

In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: k3-udma-private: Fix refcount leak bug in of_xudma_dev_get() We should call of_node_put() for the reference returned byof_parse_phandle() in fail path or when it is not used anymore.Here we only need to move the of_n...

CVE-2022-49241

In the Linux kernel, the following vulnerability has been resolved: ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe The device_node pointer is returned by of_parse_phandle() with refcountincremented. We should use of_node_put() on it when done. This function only calls of_node_put() i...

CVE-2022-49335

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/cs: make commands with 0 chunks illegal behaviour. Submitting a cs with 0 chunks, causes an oops later, found tryingto execute the wrong userspace driver. MESA_LOADER_DRIVER_OVERRIDE=v3d glxinfo [172536.665184] BUG: kern...

CVE-2022-49447

In the Linux kernel, the following vulnerability has been resolved: ARM: hisi: Add missing of_node_put after of_find_compatible_node of_find_compatible_node will increment the refcount of the returneddevice_node. Calling of_node_put() to avoid the refcount leak

CVE-2022-49449

In the Linux kernel, the following vulnerability has been resolved: pinctrl: renesas: rzn1: Fix possible null-ptr-deref in sh_pfc_map_resources() It will cause null-ptr-deref when using 'res', if platform_get_resource()returns NULL, so move using 'res' after devm_ioremap_resource() thatwill check i...

CVE-2022-49467

In the Linux kernel, the following vulnerability has been resolved: drm: msm: fix possible memory leak in mdp5_crtc_cursor_set() drm_gem_object_lookup will call drm_gem_object_get inside. So cursor_boneeds to be put when msm_gem_get_and_pin_iova fails.

CVE-2022-49491

In the Linux kernel, the following vulnerability has been resolved: drm/rockchip: vop: fix possible null-ptr-deref in vop_bind() It will cause null-ptr-deref in resource_size(), if platform_get_resource()returns NULL, move calling resource_size() after devm_ioremap_resource() thatwill check 'res' t...

CVE-2023-3439

A flaw was found in the MCTP protocol in the Linux kernel. The function mctp_unregister() reclaims the device's relevant resource when a netcard detaches. However, a running routine may be unaware of this and cause the use-after-free of the mdev->addrs object, potentially leading to a denial of ...

CVE-2023-52510

In the Linux kernel, the following vulnerability has been resolved: ieee802154: ca8210: Fix a potential UAF in ca8210_probe If of_clk_add_provider() fails in ca8210_register_ext_clock(),it calls clk_unregister() to release priv->clk and returns anerror. However, the caller ca8210_probe() then ca...

CVE-2023-52561

In the Linux kernel, the following vulnerability has been resolved: arm64: dts: qcom: sdm845-db845c: Mark cont splash memory region as reserved Adding a reserved memory region for the framebuffer memory(the splash memory region set up by the bootloader). It fixes a kernel panic (arm-smmu: Unhandled...

CVE-2023-52855

In the Linux kernel, the following vulnerability has been resolved: usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed withoutholding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue(): spin_lock_irqsave(&...

CVE-2024-26699

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix array-index-out-of-bounds in dcn35_clkmgr [Why]There is a potential memory access violation whileiterating through array of dcn35 clks. [How]Limit iteration per array size.

CVE-2024-26860

In the Linux kernel, the following vulnerability has been resolved: dm-integrity: fix a memory leak when rechecking the data Memory for the "checksums" pointer will leak if the data is recheckedafter checksum failure (because the associated kfree won't happen dueto 'goto skip_io'). Fix this by free...

CVE-2024-26869

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to truncate meta inode pages forcely Below race case can cause data corruption: Thread A GC thread- gc_data_segment- ra_data_block- locked meta_inode page f2fs_inplace_write_data invalidate_mapping_pages: fail to invalida...

CVE-2024-35851

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: fix NULL-deref on non-serdev suspend Qualcomm ROME controllers can be registered from the Bluetooth linediscipline and in this case the HCI UART serdev pointer is NULL. Add the missing sanity check to prevent a NULL...

CVE-2024-35929

In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock() For the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y andCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()in the rcu_nocb_bypass_lock() and rcu_...

CVE-2024-35945

In the Linux kernel, the following vulnerability has been resolved: net: phy: phy_device: Prevent nullptr exceptions on ISR If phydev->irq is set unconditionally, checkfor valid interrupt handler or fall back to polling mode to preventnullptr exceptions in interrupt service routine.

CVE-2024-35972

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix possible memory leak in bnxt_rdma_aux_device_init() If ulp = kzalloc() fails, the allocated edev will leak because it isnot properly assigned and the cleanup path will not be able to free it.Fix it by assigning it prop...

CVE-2024-38543

In the Linux kernel, the following vulnerability has been resolved: lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure The kcalloc() in dmirror_device_evict_chunk() will return null if thephysical memory has run out. As a result, if src_pfns or dst_pfns isdereferenced, the null pointer...

CVE-2024-39371

In the Linux kernel, the following vulnerability has been resolved: io_uring: check for non-NULL file pointer in io_file_can_poll() In earlier kernels, it was possible to trigger a NULL pointerdereference off the forced async preparation path, if no file hadbeen assigned. The trace leading to that ...

CVE-2024-39477

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: do not call vma_add_reservation upon ENOMEM sysbot reported a splat [1] on __unmap_hugepage_range(). This is becausevma_needs_reservation() can return -ENOMEM ifallocate_file_region_entries() fails to allocate the file_...

CVE-2024-40970

In the Linux kernel, the following vulnerability has been resolved: Avoid hw_desc array overrun in dw-axi-dmac I have a use case where nr_buffers = 3 and in which each descriptor is composed by 3segments, resulting in the DMA channel descs_allocated to be 9. Since axi_desc_put()handles the hw_desc ...

CVE-2024-42287

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Complete command early within lock A crash was observed while performing NPIV and FW reset, BUG: kernel NULL pointer dereference, address: 000000000000001c#PF: supervisor read access in kernel mode#PF: error_code(0x0...

CVE-2024-43829

In the Linux kernel, the following vulnerability has been resolved: drm/qxl: Add check for drm_cvt_mode Add check for the return value of drm_cvt_mode() and return the error ifit fails in order to avoid NULL pointer dereference.

CVE-2024-43897

In the Linux kernel, the following vulnerability has been resolved: net: drop bad gso csum_start and offset in virtio_net_hdr Tighten csum_start and csum_offset checks in virtio_net_hdr_to_skbfor GSO packets. The function already checks that a checksum requested withVIRTIO_NET_HDR_F_NEEDS_CSUM is i...

CVE-2024-44988

In the Linux kernel, the following vulnerability has been resolved: net: dsa: mv88e6xxx: Fix out-of-bound access If an ATU violation was caused by a CPU Load operation, the SPID couldbe larger than DSA_MAX_PORTS (the size of mv88e6xxx_chip.ports[] array).

CVE-2024-44996

In the Linux kernel, the following vulnerability has been resolved: vsock: fix recursive ->recvmsg calls After a vsock socket has been added to a BPF sockmap, its prot->recvmsghas been replaced with vsock_bpf_recvmsg(). Thus the followingrecursiion could happen: vsock_bpf_recvmsg()-> __vso...

CVE-2024-45011

In the Linux kernel, the following vulnerability has been resolved: char: xillybus: Check USB endpoints when probing device Ensure, as the driver probes the device, that all endpoints that thedriver may attempt to access exist and are of the correct type. All XillyUSB devices must have a Bulk IN an...

CVE-2024-46674

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: st: fix probed platform device ref count on probe error path The probe function never performs any paltform device allocation, thuserror path "undo_platform_dev_alloc" is entirely bogus. It drops thereference count from ...

CVE-2024-46798

In the Linux kernel, the following vulnerability has been resolved: ASoC: dapm: Fix UAF for snd_soc_pcm_runtime object When using kernel with the following extra config, CONFIG_KASAN=y CONFIG_KASAN_GENERIC=y CONFIG_KASAN_INLINE=y CONFIG_KASAN_VMALLOC=y CONFIG_FRAME_WARN=4096 kernel detects that snd...

CVE-2024-46829

In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In thegood case it returns with the lock held and in the deadlock case it emits awarning and goes into an endle...

CVE-2024-47731

In the Linux kernel, the following vulnerability has been resolved: drivers/perf: Fix ali_drw_pmu driver interrupt status clearing The alibaba_uncore_pmu driver forgot to clear all interrupt statusin the interrupt processing function. After the PMU counter overflowinterrupt occurred, an interrupt s...

CVE-2024-50176

In the Linux kernel, the following vulnerability has been resolved: remoteproc: k3-r5: Fix error handling when power-up failed By simply bailing out, the driver was violating its rule and internalassumptions that either both or no rproc should be initialized. E.g.,this could cause the first core to...

CVE-2024-53109

In the Linux kernel, the following vulnerability has been resolved: nommu: pass NULL argument to vma_iter_prealloc() When deleting a vma entry from a maple tree, it has to pass NULL tovma_iter_prealloc() in order to calculate internal state of the tree, butit passed a wrong argument. As a result, n...

CVE-2024-53200

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix null check for pipe_ctx->plane_state in hwss_setup_dpp This commit addresses a null pointer dereference issue inhwss_setup_dpp(). The issue could occur when pipe_ctx->plane_state isnull. The fix adds a ch...

CVE-2024-56652

In the Linux kernel, the following vulnerability has been resolved: drm/xe/reg_sr: Remove register pool That pool implementation doesn't really work: if the krealloc happens tomove the memory and return another address, the entries in the xarraybecome invalid, leading to use-after-free later: BUG: ...

CVE-2024-56657

In the Linux kernel, the following vulnerability has been resolved: ALSA: control: Avoid WARN() for symlink errors Using WARN() for showing the error of symlink creations don't givemore information than telling that something goes wrong, since theusual code path is a lregister callback from each co...

CVE-2024-56689

In the Linux kernel, the following vulnerability has been resolved: PCI: endpoint: epf-mhi: Avoid NULL dereference if DT lacks 'mmio' If platform_get_resource_byname() fails and returns NULL because DT lacksan 'mmio' property for the MHI endpoint, dereferencing res->start willcause a NULL pointe...

CVE-2024-57895

In the Linux kernel, the following vulnerability has been resolved: ksmbd: set ATTR_CTIME flags when setting mtime David reported that the new warning from setattr_copy_mgtime is cominglike the following. [ 113.215316] ------------[ cut here ]------------[ 113.215974] WARNING: CPU: 1 PID: 31 at fs/...

CVE-2025-21742

In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: use static NDP16 location in URB Original code allowed for the start of NDP16 to be anywhere within theURB based on the wNdpIndex value in NTH16. Only the start position ofNDP16 was checked, so it was possible for e...

CVE-2025-21775

In the Linux kernel, the following vulnerability has been resolved: can: ctucanfd: handle skb allocation failure If skb allocation fails, the pointer to struct can_frame is NULL. Thisis actually handled everywhere inside ctucan_err_interrupt() except forthe only place. Add the missed NULL check. Fo...

CVE-2025-21792

In the Linux kernel, the following vulnerability has been resolved: ax25: Fix refcount leak caused by setting SO_BINDTODEVICE sockopt If an AX25 device is bound to a socket by setting the SO_BINDTODEVICEsocket option, a refcount leak will occur in ax25_release(). Commit 9fd75b66b8f6 ("ax25: Fix ref...

CVE-2025-21857

In the Linux kernel, the following vulnerability has been resolved: net/sched: cls_api: fix error handling causing NULL dereference tcf_exts_miss_cookie_base_alloc() calls xa_alloc_cyclic() which canreturn 1 if the allocation succeeded after wrapping. This was treated asan error, with value 1 retur...

CVE-2025-21937

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() Add check for the return value of mgmt_alloc_skb() inmgmt_remote_name() to prevent null pointer dereference.

CVE-2008-0600

The vmsplice_to_pipe function in Linux kernel 2.6.17 through 2.6.24.1 does not validate a certain userspace pointer before dereference, which allows local users to gain root privileges via crafted arguments in a vmsplice system call, a different vulnerability than CVE-2008-0009 and CVE-2008-0010.

CVE-2008-3272

The snd_seq_oss_synth_make_info function in sound/core/seq/oss/seq_oss_synth.c in the sound subsystem in the Linux kernel before 2.6.27-rc2 does not verify that the device number is within the range defined by max_synthdev before returning certain data to the caller, which allows local users to obt...

CVE-2009-0269

fs/ecryptfs/inode.c in the eCryptfs subsystem in the Linux kernel before 2.6.28.1 allows local users to cause a denial of service (fault or memory corruption), or possibly have unspecified other impact, via a readlink call that results in an error, leading to use of a -1 return value as an array in...