10597 matches found
CVE-2022-50137
In the Linux kernel, the following vulnerability has been resolved: RDMA/irdma: Fix a window for use-after-free During a destroy CQ an interrupt may cause processing of a CQE after CQresources are freed by irdma_cq_free_rsrc(). Fix this by moving the callto irdma_cq_free_rsrc() after the irdma_sc_c...
CVE-2022-50141
In the Linux kernel, the following vulnerability has been resolved: mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch of_find_matching_node() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avo...
CVE-2022-50157
In the Linux kernel, the following vulnerability has been resolved: PCI: microchip: Fix refcount leak in mc_pcie_init_irq_domains() of_get_next_child() returns a node pointer with refcount incremented, so weshould use of_node_put() on it when we don't need it anymore. mc_pcie_init_irq_domains() onl...
CVE-2022-50161
In the Linux kernel, the following vulnerability has been resolved: mtd: maps: Fix refcount leak in of_flash_probe_versatile of_find_matching_node_and_match() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid ...
CVE-2022-50164
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix double list_add at iwl_mvm_mac_wake_tx_queue After successfull station association, if station queues are disabled forsome reason, the related lists are not emptied. So if some new element isadded to the lis...
CVE-2022-50166
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: When HCI work queue is drained, only queue chained work The HCI command, event, and data packet processing workqueue is drainedto avoid deadlock in commit76727c02c1e1 ("Bluetooth: Call drain_workqueue() before resetting ...
CVE-2022-50171
In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/sec - don't sleep when in softirq When kunpeng920 encryption driver is used to deencrypt and decryptpackets during the softirq, it is not allowed to use mutex lock. Thekernel will report the following error: BUG: ...
CVE-2022-50175
In the Linux kernel, the following vulnerability has been resolved: media: tw686x: Fix memory leak in tw686x_video_init video_device_alloc() allocates memory for vdev,when video_register_device() fails, it doesn't release the memory andleads to memory leak, call video_device_release() to fix this.
CVE-2022-50183
In the Linux kernel, the following vulnerability has been resolved: drm/meson: encoder_cvbs: Fix refcount leak in meson_encoder_cvbs_init of_graph_get_remote_node() returns remote device nodepointer withrefcount incremented, we should use of_node_put() on it when done.Add missing of_node_put() to a...
CVE-2022-50184
In the Linux kernel, the following vulnerability has been resolved: drm/meson: encoder_hdmi: Fix refcount leak in meson_encoder_hdmi_init of_graph_get_remote_node() returns remote device nodepointer withrefcount incremented, we should use of_node_put() on it when done.Add missing of_node_put() to a...
CVE-2022-50192
In the Linux kernel, the following vulnerability has been resolved: spi: tegra20-slink: fix UAF in tegra_slink_remove() After calling spi_unregister_master(), the refcount of master willbe decrease to 0, and it will be freed in spi_controller_release(),the device data also will be freed, so it will...
CVE-2022-50196
In the Linux kernel, the following vulnerability has been resolved: soc: qcom: ocmem: Fix refcount leak in of_get_ocmem of_parse_phandle() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid refcount leak.of_nod...
CVE-2022-50199
In the Linux kernel, the following vulnerability has been resolved: ARM: OMAP2+: Fix refcount leak in omapdss_init_of omapdss_find_dss_of_node() calls of_find_compatible_node() to get devicenode. of_find_compatible_node() returns a node pointer with refcountincremented, we should use of_node_put() ...
CVE-2022-50202
In the Linux kernel, the following vulnerability has been resolved: PM: hibernate: defer device probing when resuming from hibernation syzbot is reporting hung task at misc_open() [1], for there is a racewindow of AB-BA deadlock which involves probe_count variable. Currentlywait_for_device_probe() ...
CVE-2022-50203
In the Linux kernel, the following vulnerability has been resolved: ARM: OMAP2+: display: Fix refcount leak bug In omapdss_init_fbdev(), of_find_node_by_name() will return a nodepointer with refcount incremented. We should use of_node_put() whenit is not used anymore.
CVE-2022-50207
In the Linux kernel, the following vulnerability has been resolved: ARM: bcm: Fix refcount leak in bcm_kona_smc_init of_find_matching_node() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid refcount leak.
CVE-2022-50221
In the Linux kernel, the following vulnerability has been resolved: drm/fb-helper: Fix out-of-bounds access Clip memory range to screen-buffer size to avoid out-of-bounds accessin fbdev deferred I/O's damage handling. Fbdev's deferred I/O can only track pages. From the range of pages, thedamage han...
CVE-2022-50228
In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 Don't BUG/WARN on interrupt injection due to GIF being cleared,since it's trivial for userspace to force the situation viaKVM_SET_VCPU_EVENTS (even if having at least...
CVE-2025-38013
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Set n_channels after allocating struct cfg80211_scan_request Make sure that n_channels is set after allocating thestruct cfg80211_registered_device::int_scan_req member. Seen withsyzkaller: UBSAN: array-index-out-of...
CVE-2025-38053
In the Linux kernel, the following vulnerability has been resolved: idpf: fix null-ptr-deref in idpf_features_check idpf_features_check is used to validate the TX packet. skb headerlength is compared with the hardware supported value received fromthe device control plane. The value is stored in the...
CVE-2025-38061
In the Linux kernel, the following vulnerability has been resolved: net: pktgen: fix access outside of user given buffer in pktgen_thread_write() Honour the user given buffer size for the strn_len() calls (otherwisestrn_len() will access memory outside of the user given buffer).
CVE-2025-38084
In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing throughvm_ops->may_split(). This happens before the VMA lock and rmap locks aretaken - which is too earl...
CVE-2025-38087
In the Linux kernel, the following vulnerability has been resolved: net/sched: fix use-after-free in taprio_dev_notifier Since taprio’s taprio_dev_notifier() isn’t protected by anRCU read-side critical section, a race with advance_sched()can lead to a use-after-free. Adding rcu_read_lock() inside t...
CVE-2025-38090
In the Linux kernel, the following vulnerability has been resolved: drivers/rapidio/rio_cm.c: prevent possible heap overwrite In riocm_cdev_ioctl(RIO_CM_CHAN_SEND)-> cm_chan_msg_send()-> riocm_ch_send() cm_chan_msg_send() checks that userspace didn't send too much data butriocm_ch_send() fail...
CVE-2025-38094
In the Linux kernel, the following vulnerability has been resolved: net: cadence: macb: Fix a possible deadlock in macb_halt_tx. There is a situation where after THALT is set high, TGO stays high aswell. Because jiffies are never updated, as we are in a context withinterrupts disabled, we never exi...
CVE-2025-38095
In the Linux kernel, the following vulnerability has been resolved: dma-buf: insert memory barrier before updating num_fences smp_store_mb() inserts memory barrier after storing operation.It is different with what the comment is originally aiming so Nullpointer dereference can be happened if memory...
CVE-2025-38116
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix uaf in ath12k_core_init() When the execution of ath12k_core_hw_group_assign() orath12k_core_hw_group_create() fails, the registered notifier chain is notunregistered properly. Its memory is freed after rmmod, whic...
CVE-2025-38120
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_set_pipapo_avx2: fix initial map fill If the first field doesn't cover the entire start map, then we must zeroout the remainder, else we leak those bits into the next match round map. The early fix was incomplete and ...
CVE-2025-38125
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring EST If the ptp_rate recorded earlier in the driver happens to be 0, thisbogus value will propagate up to EST configuration, where it willtrigger a division by 0. Prev...
CVE-2025-38126
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: make sure that ptp_rate is not 0 before configuring timestamping The stmmac platform drivers that do not open-code the clk_ptp_rate valueafter having retrieved the default one from the device-tree can end upwith 0 in c...
CVE-2025-38181
In the Linux kernel, the following vulnerability has been resolved: calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). syzkaller reported a null-ptr-deref in sock_omalloc() while allocatinga CALIPSO option. [0] The NULL is of struct sock, which was fetched by sk_to_full_sk() incalipso_req_...
CVE-2025-38191
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix null pointer dereference in destroy_previous_session If client set ->PreviousSessionId on kerberos session setup stage,NULL pointer dereference error will happen. Since sess->user is notset yet, It can pass the use...
CVE-2025-38193
In the Linux kernel, the following vulnerability has been resolved: net_sched: sch_sfq: reject invalid perturb period Gerrard Tai reported that SFQ perturb_period has no range check yet,and this can be used to trigger a race condition fixed in a separate patch. We want to make sure ctl->perturb_...
CVE-2025-38194
In the Linux kernel, the following vulnerability has been resolved: jffs2: check that raw node were preallocated before writing summary Syzkaller detected a kernel bug in jffs2_link_node_ref, caused by faultinjection in jffs2_prealloc_raw_node_refs. jffs2_sum_write_sumnode doesn'tcheck return value...
CVE-2025-38199
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: Fix memory leak due to multiple rx_stats allocation rx_stats for each arsta is allocated when adding a station.arsta->rx_stats will be freed when a station is removed. Redundant allocations are occurring when the s...
CVE-2025-38200
In the Linux kernel, the following vulnerability has been resolved: i40e: fix MMIO write access to an invalid page in i40e_clear_hw When the device sends a specific input, an integer underflow can occur, leadingto MMIO write access to an invalid page. Prevent the integer underflow by changing the t...
CVE-2025-38201
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_pipapo: clamp maximum map bucket size to INT_MAX Otherwise, it is possible to hit WARN_ON_ONCE in __kvmalloc_node_noprof()when resizing hashtable because __GFP_NOWARN is unset. Similar to: b541ba7d1f5a ("netfilte...
CVE-2025-38202
In the Linux kernel, the following vulnerability has been resolved: bpf: Check rcu_read_lock_trace_held() in bpf_map_lookup_percpu_elem() bpf_map_lookup_percpu_elem() helper is also available for sleepable bpfprogram. When BPF JIT is disabled or under 32-bit host,bpf_map_lookup_percpu_elem() will n...
CVE-2025-38203
In the Linux kernel, the following vulnerability has been resolved: jfs: Fix null-ptr-deref in jfs_ioc_trim [ Syzkaller Report ] Oops: general protection fault, probably for non-canonical address0xdffffc0000000087: 0000 [#1KASAN: null-ptr-deref in range [0x0000000000000438-0x000000000000043f]CPU: 2...
CVE-2025-38207
In the Linux kernel, the following vulnerability has been resolved: mm: fix uprobe pte be overwritten when expanding vma Patch series "Fix uprobe pte be overwritten when expanding vma". This patch (of 4): We encountered a BUG alert triggered by Syzkaller as follows:BUG: Bad rss-counter state mm:000...
CVE-2025-38211
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix use-after-free of work objects after cm_id destruction The commit 59c68ac31e15 ("iw_cm: free cm_id resources on the lastderef") simplified cm_id resource management by freeing cm_id once allreferences to the cm_id we...
CVE-2025-38219
In the Linux kernel, the following vulnerability has been resolved: f2fs: prevent kernel warning due to negative i_nlink from corrupted image WARNING: CPU: 1 PID: 9426 at fs/inode.c:417 drop_nlink+0xac/0xd0home/cc/linux/fs/inode.c:417Modules linked in:CPU: 1 UID: 0 PID: 9426 Comm: syz-executor568 N...
CVE-2025-38226
In the Linux kernel, the following vulnerability has been resolved: media: vivid: Change the siize of the composing syzkaller found a bug: BUG: KASAN: vmalloc-out-of-bounds in tpg_fill_plane_pattern drivers/media/common/v4l2-tpg/v4l2-tpg-core.c:2608 [inline]BUG: KASAN: vmalloc-out-of-bounds in tpg_...
CVE-2025-38234
In the Linux kernel, the following vulnerability has been resolved: sched/rt: Fix race in push_rt_task Overview When a CPU chooses to call push_rt_task and picks a task to push toanother CPU's runqueue then it will call find_lock_lowest_rq methodwhich would take a double lock on both CPUs' runqueue...
CVE-2025-38235
In the Linux kernel, the following vulnerability has been resolved: HID: appletb-kbd: fix "appletb_backlight" backlight device reference counting During appletb_kbd_probe, probe attempts to get the backlight deviceby name. When this happens backlight_device_get_by_name looks for adevice in the back...
CVE-2025-38237
In the Linux kernel, the following vulnerability has been resolved: media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() In fimc_is_hw_change_mode(), the function changes camera modes withoutwaiting for hardware completion, risking corrupted data or system hangsif subsequ...
CVE-2022-49955
In the Linux kernel, the following vulnerability has been resolved: powerpc/rtas: Fix RTAS MSR[HV] handling for Cell The semi-recent changes to MSR handling when entering RTAS (firmware)cause crashes on IBM Cell machines. An example trace: kernel tried to execute user page (2fff01a8) - exploit atte...
CVE-2022-49963
In the Linux kernel, the following vulnerability has been resolved: drm/i915/ttm: fix CCS handling Crucible + recent Mesa seems to sometimes hit: GEM_BUG_ON(num_ccs_blks > NUM_CCS_BLKS_PER_XFER) And it looks like we can also trigger this with gem_lmem_swapping, if wemodify the test to use slight...
CVE-2022-49999
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix space cache corruption and potential double allocations When testing space_cache v2 on a large set of machines, we encountered afew symptoms: "unable to add free space :-17" (EEXIST) errors. Missing free space info items...
CVE-2022-50005
In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout When the pn532 uart device is detaching, the pn532_uart_remove()is called. But there are no functions in pn532_uart_remove() thatcould delete the cmd_timeout timer, wh...