CVE-2025-22104

In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Use kernel helpers for hex dumps Previously, when the driver was printing hex dumps, the buffer was castto an 8 byte long and printed using string formatters. If the buffersize was not a multiple of 8 then a read buffer ov...

CVE-2025-22121

In the Linux kernel, the following vulnerability has been resolved: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() There's issue as follows:BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172 CPU: ...

CVE-2025-38575

In the Linux kernel, the following vulnerability has been resolved: ksmbd: use aead_request_free to match aead_request_alloc Use aead_request_free() instead of kfree() to properly free memoryallocated by aead_request_alloc(). This ensures sensitive crypto datais zeroed before being freed.

CVE-2021-47637

In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix deadlock in concurrent rename whiteout and inode writeback Following hung tasks:[ 77.028764] task:kworker/u8:4 state:D stack: 0 pid: 132[ 77.028820] Call Trace:[ 77.029027] schedule+0x8c/0x1b0[ 77.029067] mutex_lock+0x50...

CVE-2021-47644

In the Linux kernel, the following vulnerability has been resolved: media: staging: media: zoran: move videodev alloc Move some code out of zr36057_init() and create new functions for handlingzr->video_dev. This permit to ease code reading and fix a zr->video_devmemory leak.

CVE-2022-49055

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Check for potential null return of kmalloc_array() As the kmalloc_array() may return null, the 'event_waiters[i].wait' would lead to null-pointer dereference.Therefore, it is better to check the return value of kmalloc_...

CVE-2022-49102

In the Linux kernel, the following vulnerability has been resolved: habanalabs: fix possible memory leak in MMU DR fini This patch fixes what seems to be copy paste error. We will have a memory leak if the host-resident shadow is NULL (whichwill likely happen as the DR and HR are not dependent).

CVE-2022-49183

In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ct: fix ref leak when switching zones When switching zones or network namespaces without doing a ct clear inbetween, it is now leaking a reference to the old ct entry. That'sbecause tcf_ct_skb_nfct_cached() returns f...

CVE-2022-49228

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a btf decl_tag bug when tagging a function syzbot reported a btf decl_tag bug with stack trace below: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASANKASAN: null-...

CVE-2022-49284

In the Linux kernel, the following vulnerability has been resolved: coresight: syscfg: Fix memleak on registration failure in cscfg_create_device device_register() calls device_initialize(),according to doc of device_initialize: Use put_device() to give up your reference instead of freeing * @dev d...

CVE-2022-49334

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: Fix xarray node memory leak If xas_split_alloc() fails to allocate the necessary nodes to complete thexarray entry split, it sets the xa_state to -ENOMEM, which xas_nomem()then interprets as "Please allocate more me...

CVE-2022-49467

In the Linux kernel, the following vulnerability has been resolved: drm: msm: fix possible memory leak in mdp5_crtc_cursor_set() drm_gem_object_lookup will call drm_gem_object_get inside. So cursor_boneeds to be put when msm_gem_get_and_pin_iova fails.

CVE-2022-49543

In the Linux kernel, the following vulnerability has been resolved: ath11k: fix the warning of dev_wake in mhi_pm_disable_transition() When test device recovery with below command, it has warning in messageas below.echo assert > /sys/kernel/debug/ath11k/wcn6855\ hw2.0/simulate_fw_crashecho asser...

CVE-2022-49664

In the Linux kernel, the following vulnerability has been resolved: tipc: move bc link creation back to tipc_node_create Shuang Li reported a NULL pointer dereference crash: [] BUG: kernel NULL pointer dereference, address: 0000000000000068[] RIP: 0010:tipc_link_is_up+0x5/0x10 [tipc][] Call Trace:[...

CVE-2023-52988

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/via: Avoid potential array out-of-bound in add_secret_dac_path() snd_hda_get_connections() can return a negative error code.It may lead to accessing 'conn' array at a negative index. Found by Linux Verification Center (li...

CVE-2024-36476

In the Linux kernel, the following vulnerability has been resolved: RDMA/rtrs: Ensure 'ib_sge list' is accessible Move the declaration of the 'ib_sge list' variable outside the'always_invalidate' block to ensure it remains accessible for usethroughout the function. Previously, 'ib_sge list' was dec...

CVE-2024-43098

In the Linux kernel, the following vulnerability has been resolved: i3c: Use i3cdev->desc->info instead of calling i3c_device_get_info() to avoid deadlock A deadlock may happen since the i3c_master_register() acquires&i3cbus->lock twice. See the log below.Use i3cdev->desc->info inste...

CVE-2024-47809

In the Linux kernel, the following vulnerability has been resolved: dlm: fix possible lkb_resource null dereference This patch fixes a possible null pointer dereference when this function iscalled from request_lock() as lkb->lkb_resource is not assigned yet,only after validate_lock_args() by cal...

CVE-2024-51729

In the Linux kernel, the following vulnerability has been resolved: mm: use aligned address in copy_user_gigantic_page() In current kernel, hugetlb_wp() calls copy_user_large_folio() with thefault address. Where the fault address may be not aligned with the hugepage size. Then, copy_user_large_foli...

CVE-2025-21661

In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix missing lookup table cleanups When a virtuser device is created via configfs and the probe fails dueto an incorrect lookup table, the table is not removed. This preventssubsequent probe attempts from succeeding,...

CVE-2025-21726

In the Linux kernel, the following vulnerability has been resolved: padata: avoid UAF for reorder_work Although the previous patch can avoid ps and ps UAF for _do_serial, itcan not avoid potential UAF issue for reorder_work. This issue canhappen just as below: crypto_request crypto_request crypto_d...

CVE-2025-21766

In the Linux kernel, the following vulnerability has been resolved: ipv4: use RCU protection in __ip_rt_update_pmtu() __ip_rt_update_pmtu() must use RCU protection to makesure the net structure it reads does not disappear.

CVE-2025-21878

In the Linux kernel, the following vulnerability has been resolved: i2c: npcm: disable interrupt enable bit before devm_request_irq The customer reports that there is a soft lockup issue related tothe i2c driver. After checking, the i2c module was doing a tx transferand the bmc machine reboots in t...

CVE-2025-22045

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normalPMD entries (PMD entries that point to page tables) together with the PTEentries in the pointed-...

CVE-2025-22054

In the Linux kernel, the following vulnerability has been resolved: arcnet: Add NULL check in com20020pci_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently,com20020pci_probe() does not check for this case, which results in aNULL pointer dereference. Add NULL check after ...

CVE-2025-37749

In the Linux kernel, the following vulnerability has been resolved: net: ppp: Add bound checking for skb data on ppp_sync_txmung Ensure we have enough data in linear buffer from skb before accessinginitial bytes. This prevents potential out-of-bounds accesseswhen processing short packets. When ppp_...

CVE-2025-38240

In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: dp: drm_err => dev_err in HPD path to avoid NULL ptr The function mtk_dp_wait_hpd_asserted() may be called before themtk_dp->drm_dev pointer is assigned in mtk_dp_bridge_attach().Specifically it can be called vi...

CVE-2025-40014

In the Linux kernel, the following vulnerability has been resolved: objtool, spi: amd: Fix out-of-bounds stack access in amd_set_spi_freq() If speed_hz

CVE-2021-47645

In the Linux kernel, the following vulnerability has been resolved: media: staging: media: zoran: calculate the right buffer number for zoran_reap_stat_com On the case tmp_dcim=1, the index of buffer is miscalculated.This generate a NULL pointer dereference later. So let's fix the calcul and add a ...

CVE-2021-47652

In the Linux kernel, the following vulnerability has been resolved: video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe() I got a null-ptr-deref report: BUG: kernel NULL pointer dereference, address: 0000000000000000...RIP: 0010:fb_destroy_modelist+0x38/0x100...Call Trace:ufx_usb_probe.cold+...

CVE-2022-49046

In the Linux kernel, the following vulnerability has been resolved: i2c: dev: check return value when calling dev_set_name() If dev_set_name() fails, the dev_name() is null, check the returnvalue of dev_set_name() to avoid the null-ptr-deref.

CVE-2022-49063

In the Linux kernel, the following vulnerability has been resolved: ice: arfs: fix use-after-free when freeing @rx_cpu_rmap The CI testing bots triggered the following splat: [ 718.203054] BUG: KASAN: use-after-free in free_irq_cpu_rmap+0x53/0x80[ 718.206349] Read of size 4 at addr ffff8881bd127e00...

CVE-2022-49139

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt This event is just specified for SCO and eSCO link types.On the reception of a HCI_Synchronous_Connection_Complete for a BDADDRof an existing LE connection, LE link type a...

CVE-2022-49238

In the Linux kernel, the following vulnerability has been resolved: ath11k: free peer for station when disconnect from AP for QCA6390/WCN6855 Commit b4a0f54156ac ("ath11k: move peer delete after vdev stop of stationfor QCA6390 and WCN6855") is to fix firmware crash by changing the WMIcommand sequen...

CVE-2022-49241

In the Linux kernel, the following vulnerability has been resolved: ASoC: atmel: Fix error handling in sam9x5_wm8731_driver_probe The device_node pointer is returned by of_parse_phandle() with refcountincremented. We should use of_node_put() on it when done. This function only calls of_node_put() i...

CVE-2022-49410

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix potential double free in create_var_ref() In create_var_ref(), init_var_ref() is called to initialize the fieldsof variable ref_field, which is allocated in the previous function callto create_hist_field(). Function in...

CVE-2022-49441

In the Linux kernel, the following vulnerability has been resolved: tty: fix deadlock caused by calling printk() under tty_port->lock pty_write() invokes kmalloc() which may invoke a normal printk() to printfailure message. This can cause a deadlock in the scenario reported bysyz-bot below: CPU0...

CVE-2022-49491

In the Linux kernel, the following vulnerability has been resolved: drm/rockchip: vop: fix possible null-ptr-deref in vop_bind() It will cause null-ptr-deref in resource_size(), if platform_get_resource()returns NULL, move calling resource_size() after devm_ioremap_resource() thatwill check 'res' t...

CVE-2022-49694

In the Linux kernel, the following vulnerability has been resolved: block: disable the elevator int del_gendisk The elevator is only used for file system requests, which are stopped indel_gendisk. Move disabling the elevator and freeing the scheduler tagsto the end of del_gendisk instead of doing t...

CVE-2022-49720

In the Linux kernel, the following vulnerability has been resolved: block: Fix handling of offline queues in blk_mq_alloc_request_hctx() This patch prevents that test nvme/004 triggers the following: UBSAN: array-index-out-of-bounds in block/blk-mq.h:135:9index 512 is out of range for type 'long un...

CVE-2022-49721

In the Linux kernel, the following vulnerability has been resolved: arm64: ftrace: consistently handle PLTs. Sometimes it is necessary to use a PLT entry to call an ftracetrampoline. This is handled by ftrace_make_call() and ftrace_make_nop(),with each having almost identical logic, but this is not...

CVE-2022-49759

In the Linux kernel, the following vulnerability has been resolved: VMCI: Use threaded irqs instead of tasklets The vmci_dispatch_dgs() tasklet function calls vmci_read_data()which uses wait_event() resulting in invalid sleep in an atomiccontext (and therefore potentially in a deadlock). Use thread...

CVE-2023-53015

In the Linux kernel, the following vulnerability has been resolved: HID: betop: check shape of output reports betopff_init() only checks the total sum of the report counts for eachreport field to be at least 4, but hid_betopff_play() expects 4 reportfields.A device advertising an output report with...

CVE-2025-21767

In the Linux kernel, the following vulnerability has been resolved: clocksource: Use migrate_disable() to avoid calling get_random_u32() in atomic context The following bug report happened with a PREEMPT_RT kernel: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:4...

CVE-2025-21838

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: core: flush gadget workqueue after device removal device_del() can lead to new work being scheduled in gadget->workworkqueue. This is observed, for example, with the dwc3 driver with thefollowing call stack:device_d...

CVE-2025-21855

In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Don't reference skb after sending to VIOS Previously, after successfully flushing the xmit buffer to VIOS,the tx_bytes stat was incremented by the length of the skb. It is invalid to access the skb memory after sending the...

CVE-2025-21912

In the Linux kernel, the following vulnerability has been resolved: gpio: rcar: Use raw_spinlock to protect register access Use raw_spinlock in order to fix spurious messages about invalid contextwhen spinlock debugging is enabled. The lock is only used to serializeregister access. [ 4.239592] ====...

CVE-2025-21956

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign normalized_pix_clk when color depth = 14 [WHY & HOW]A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because thedisplay_color_depth == ...

CVE-2025-22073

In the Linux kernel, the following vulnerability has been resolved: spufs: fix a leak on spufs_new_file() failure It's called from spufs_fill_dir(), and caller of that will dospufs_rmdir() in case of failure. That does remove everythingwe'd managed to create, but... the problem dentry is stillnegat...

CVE-2025-22080

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Prevent integer overflow in hdr_first_de() The "de_off" and "used" variables come from the disk so they both need tocheck. The problem is that on 32bit systems if they're both greater thanUINT_MAX - 16 then the check does...