CVE-2022-49952

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix memory corruption on probe Add the missing sanity check on the probed-session count to avoidcorrupting memory beyond the fixed-size slab-allocated session arraywhen there are more than FASTRPC_MAX_SESSIONS sessio...

CVE-2022-49957

In the Linux kernel, the following vulnerability has been resolved: kcm: fix strp_init() order and cleanup strp_init() is called just a few lines above this csk->sk_user_datacheck, it also initializes strp->work etc., therefore, it isunnecessary to call strp_done() to cancel the freshly initi...

CVE-2022-49985

In the Linux kernel, the following vulnerability has been resolved: bpf: Don't use tnum_range on array range checking for poke descriptors Hsin-Wei reported a KASAN splat triggered by their BPF runtime fuzzer whichis based on a customized syzkaller: BUG: KASAN: slab-out-of-bounds in bpf_int_jit_com...

CVE-2022-50011

In the Linux kernel, the following vulnerability has been resolved: venus: pm_helpers: Fix warning in OPP during probe Fix the following WARN triggered during Venus driver probe on5.19.0-rc8-next-20220728: WARNING: CPU: 7 PID: 339 at drivers/opp/core.c:2471 dev_pm_opp_set_config+0x49c/0x610Modules ...

CVE-2022-50024

In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw-axi-dmac: do not print NULL LLI during error During debugging we have seen an issue where axi_chan_dump_lli()is passed a NULL LLI pointer which ends up causing an OOPS dueto trying to get fields from it. Simply print ...

CVE-2022-50028

In the Linux kernel, the following vulnerability has been resolved: gadgetfs: ep_io - wait until IRQ finishes after usb_ep_queue() if wait_for_completion_interruptible() isinterrupted we need to wait until IRQ gets finished. Otherwise complete() from epio_complete() can corrupt stack.

CVE-2022-50030

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input Malformed user input to debugfs results in buffer overflow crashes. Adaptinput string lengths to fit within internal buffers, leaving space for NULLte...

CVE-2022-50097

In the Linux kernel, the following vulnerability has been resolved: video: fbdev: s3fb: Check the size of screen before memset_io() In the function s3fb_set_par(), the value of 'screen_size' iscalculated by the user input. If the user provides the improper value,the value of 'screen_size' may large...

CVE-2022-50103

In the Linux kernel, the following vulnerability has been resolved: sched, cpuset: Fix dl_cpu_busy() panic due to empty cs->cpus_allowed With cgroup v2, the cpuset's cpus_allowed mask can be empty indicatingthat the cpuset will just use the effective CPUs of its parent. Socpuset_can_attach() can...

CVE-2022-50108

In the Linux kernel, the following vulnerability has been resolved: mfd: max77620: Fix refcount leak in max77620_initialise_fps of_get_child_by_name() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid refcount...

CVE-2022-50118

In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Optimize clearing the pending PMI and remove WARN_ON for PMI check in power_pmu_disable commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clearpending PMI before resetting an overflown PMC") added a newfunction...

CVE-2022-50140

In the Linux kernel, the following vulnerability has been resolved: memstick/ms_block: Fix a memory leak 'erased_blocks_bitmap' is never freed. As it is allocated at the same timeas 'used_blocks_bitmap', it is likely that it should be freed also at thesame time. Add the corresponding bitmap_free() ...

CVE-2022-50149

In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential deadlock in __driver_attach In __driver_attach function, There are also AA deadlock problem,like the commit b232b02bf3c2 ("driver core: fix deadlock in__device_attach"). stack like commit b232b02bf3c2 ("d...

CVE-2022-50155

In the Linux kernel, the following vulnerability has been resolved: mtd: parsers: ofpart: Fix refcount leak in bcm4908_partitions_fw_offset of_find_node_by_path() returns a node pointer with refcount incremented,we should use of_node_put() on it when not need anymore.Add missing of_node_put() to av...

CVE-2022-50156

In the Linux kernel, the following vulnerability has been resolved: HID: cp2112: prevent a buffer overflow in cp2112_xfer() Smatch warnings:drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy()'data->block[1]' too small (33 vs 255)drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy...

CVE-2022-50160

In the Linux kernel, the following vulnerability has been resolved: mtd: maps: Fix refcount leak in ap_flash_init of_find_matching_node() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid refcount leak.

CVE-2022-50185

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() The last case label can write two buffers 'mc_reg_address[j]' and'mc_data[j]' with 'j' offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZEsince there are no...

CVE-2022-50209

In the Linux kernel, the following vulnerability has been resolved: meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init of_find_matching_node() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid refcou...

CVE-2022-50218

In the Linux kernel, the following vulnerability has been resolved: iio: light: isl29028: Fix the warning in isl29028_remove() The driver use the non-managed form of the register function inisl29028_remove(). To keep the release order as mirroring the orderingin probe, the driver should use non-man...

CVE-2025-38045

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix debug actions order The order of actions taken for debug was implemented incorrectly.Now we implemented the dump split and do the FW reset only in themiddle of the dump (rather than the FW killing itself on error...

CVE-2025-38065

In the Linux kernel, the following vulnerability has been resolved: orangefs: Do not truncate file size 'len' is used to store the result of i_size_read(), so making 'len'a size_t results in truncation to 4GiB on 32-bit systems.

CVE-2025-38094

In the Linux kernel, the following vulnerability has been resolved: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. There is a situation where after THALT is set high, TGO stays high aswell. Because jiffies are never updated, as we are in a context withinterrupts disabled, we never exi...

CVE-2025-38182

In the Linux kernel, the following vulnerability has been resolved: ublk: santizize the arguments from userspace when adding a device Sanity check the values for queue depth and number of queueswe get from userspace when adding a device.

CVE-2025-38193

In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject invalid perturb period Gerrard Tai reported that SFQ perturb_period has no range check yet,and this can be used to trigger a race condition fixed in a separate patch. We want to make sure ctl->perturb_...

CVE-2025-38197

In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell_rbu: Fix list usage Pass the correct list head to list_for_each_entry*() when looping throughthe packet list. Without this patch, reading the packet data via sysfs will show the dataincorrectly (because it starts...

CVE-2025-38206

In the Linux kernel, the following vulnerability has been resolved: exfat: fix double free in delayed_free The double free could happen in the following path. exfat_create_upcase_table()exfat_create_upcase_table() : return errorexfat_free_upcase_table() : free ->vol_utblexfat_load_default_upcase...

CVE-2025-38257

In the Linux kernel, the following vulnerability has been resolved: s390/pkey: Prevent overflow in size calculation for memdup_user() Number of apqn target list entries contained in 'nr_apqns' variable isdetermined by userspace via an ioctl call so the result of the product incalculation of size pa...

CVE-2025-38350

In the Linux kernel, the following vulnerability has been resolved: net/sched: Always pass notifications when child class becomes empty Certain classful qdiscs may invoke their classes' dequeue handler on anenqueue operation. This may unexpectedly empty the child qdisc and thusmake an in-flight cla...

CVE-2022-49946

In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Prevent out-of-bounds access The while loop in raspberrypi_discover_clocks() relies on the assumptionthat the id of the last clock element is zero. Because this data comesfrom the Videocore firmware and it doesn't gu...

CVE-2022-49950

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix memory corruption on open The probe session-duplication overflow check incremented the sessioncount also when there were no more available sessions so that memorybeyond the fixed-size slab-allocated session array...

CVE-2022-49964

In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level Though acpi_find_last_cache_level() always returned signed value and thedocument states it will return any errors caused by lack of a PPTT table,...

CVE-2022-49968

In the Linux kernel, the following vulnerability has been resolved: ieee802154/adf7242: defer destroy_workqueue call There is a possible race condition (use-after-free) like below (FREE) | (USE)adf7242_remove | adf7242_channelcancel_delayed_work_sync |destroy_workqueue (1) | adf7242_cmd_rx| mod_del...

CVE-2022-49973

In the Linux kernel, the following vulnerability has been resolved: skmsg: Fix wrong last sg check in sk_msg_recvmsg() Fix one kernel NULL pointer dereference as below: [ 224.462334] Call Trace:[ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380[ 224.462441] ? sock_has_perm+0x78/0xa0[ 224.462463] tcp_bpf_re...

CVE-2022-49993

In the Linux kernel, the following vulnerability has been resolved: loop: Check for overflow while configuring loop The userspace can configure a loop using an ioctl call, whereina configuration of type loop_config is passed (see lo_ioctl()'scase on line 1550 of drivers/block/loop.c). This proceeds...

CVE-2022-50010

In the Linux kernel, the following vulnerability has been resolved: video: fbdev: i740fb: Check the argument of i740_calc_vclk() Since the user can control the arguments of the ioctl() from the userspace, under special arguments that may result in a divide-by-zero bug. If the user provides an impro...

CVE-2022-50021

In the Linux kernel, the following vulnerability has been resolved: ext4: block range must be validated before use in ext4_mb_clear_bb() Block range to free is validated in ext4_free_blocks() usingext4_inode_block_valid() and then it's passed to ext4_mb_clear_bb().However in some situations on biga...

CVE-2022-50026

In the Linux kernel, the following vulnerability has been resolved: habanalabs/gaudi: fix shift out of bounds When validating NIC queues, queue offset calculation must beperformed only for NIC queues.

CVE-2022-50038

In the Linux kernel, the following vulnerability has been resolved: drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors() In this function, there are two refcount leak bugs:(1) when breaking out of for_each_endpoint_of_node(), we need callthe of_node_put() for the 'ep';(2) we should ...

CVE-2022-50059

In the Linux kernel, the following vulnerability has been resolved: ceph: don't leak snap_rwsem in handle_cap_grant When handle_cap_grant is called on an IMPORT op, then the snap_rwsem isheld and the function is expected to release it before returning. Itcurrently fails to do that in all cases whic...

CVE-2022-50074

In the Linux kernel, the following vulnerability has been resolved: apparmor: Fix memleak in aa_simple_write_to_buffer() When copy_from_user failed, the memory is freed by kvfree. however themanagement struct and data blob are allocated independently, so onlykvfree(data) cause a memleak issue here....

CVE-2022-50121

In the Linux kernel, the following vulnerability has been resolved: remoteproc: k3-r5: Fix refcount leak in k3_r5_cluster_of_init Every iteration of for_each_available_child_of_node() decrementsthe reference count of the previous node.When breaking early from a for_each_available_child_of_node() lo...

CVE-2022-50131

In the Linux kernel, the following vulnerability has been resolved: HID: mcp2221: prevent a buffer overflow in mcp_smbus_write() Smatch Warning:drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy()'&mcp->txbuf[5]' too small (59 vs 255)drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() e...

CVE-2022-50142

In the Linux kernel, the following vulnerability has been resolved: intel_th: msu: Fix vmalloced buffers After commit f5ff79fddf0e ("dma-mapping: remove CONFIG_DMA_REMAP") there'sa chance of DMA buffer getting allocated via vmalloc(), which messes upthe mmapping code: RIP: msc_mmap_fault [intel_th_...

CVE-2022-50143

In the Linux kernel, the following vulnerability has been resolved: intel_th: Fix a resource leak in an error handling path If an error occurs after calling 'pci_alloc_irq_vectors()','pci_free_irq_vectors()' must be called as already done in the removefunction.

CVE-2022-50161

In the Linux kernel, the following vulnerability has been resolved: mtd: maps: Fix refcount leak in of_flash_probe_versatile of_find_matching_node_and_match() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid ...

CVE-2022-50162

In the Linux kernel, the following vulnerability has been resolved: wifi: libertas: Fix possible refcount leak in if_usb_probe() usb_get_dev will be called before lbs_get_firmware_async which means thatusb_put_dev need to be called when lbs_get_firmware_async fails.

CVE-2022-50165

In the Linux kernel, the following vulnerability has been resolved: wifi: wil6210: debugfs: fix uninitialized variable use in wil_write_file_wmi() Commit 7a4836560a61 changes simple_write_to_buffer() with memdup_user()but it forgets to change the value to be returned that came fromsimple_write_to_b...

CVE-2022-50171

In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/sec - don't sleep when in softirq When kunpeng920 encryption driver is used to deencrypt and decryptpackets during the softirq, it is not allowed to use mutex lock. Thekernel will report the following error: BUG: ...

CVE-2022-50198

In the Linux kernel, the following vulnerability has been resolved: ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init of_find_matching_node() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid refcount l...

CVE-2022-50208

In the Linux kernel, the following vulnerability has been resolved: soc: amlogic: Fix refcount leak in meson-secure-pwrc.c In meson_secure_pwrc_probe(), there is a refcount leak in one failpath.