CVE-2022-50241

CVE-2022-50241 is a Linux kernel local-use-after-free in NFSD during inter-server copy. The race occurs when a CLOSE may be sent before FREE_STATEID, leaving a freed lock/state entry on the s2s_cp_stateids/sc_cp_list and triggering a BAD_STATEID on subsequent FREE_STATEID. The referenced patches ...

CVE-2022-50243

CVE-2022-50243 – Linux kernel SCTP use-after-free (summary from connected advisories) The vulnerability arises in SCTP when an error is returned from sctp_auth_asoc_init_active_key(): the old sh_key could be freed while still in use as the active key, leading to a use-after-free during packet sen...

CVE-2022-50245

CVE-2022-50245 concerns a Linux kernel issue in the rapidio driver where a UAF can occur if kfifo_alloc() fails during mport_cdev_open(). The fix removes priv from the chdev->file_list before freeing it to prevent traversal from accessing a freed object (the smatch warning reference). Affected...

CVE-2022-50251

CVE-2022-50251 affects the Linux kernel mmc/vub300 driver. The vulnerability arises when mmc_add_host() returns an error but its return value is ignored, leading to a memory leak from mmc_alloc_host() and a potential kernel crash due to removing an unadded device in the remove path. The accompany...

CVE-2022-50255

CVE-2022-50255 (Linux kernel tracing) : The issue affects the tracing subsystem where the synthetic event field, specifically the character array file[], could be read as a string without validating the user-space address. This caused crashes when reading from user memory during open/openat strin...

CVE-2022-50257

The CVE-2022-50257 issue is in the Linux kernel Xen grant handling (xen/gntdev) where partial grant mapping failures could leak grants. In paravirtualized domains (use_ptemod = true), alloced was not updated for all successful map_ops or kmap_ops, risking incorrect live_grants and leaks. The fix ...

CVE-2022-50260

CVE-2022-50260 concerns the Linux kernel DRM MSM driver where .remove and .shutdown callbacks run via different code paths, creating a risk of calling drm_atomic_helper_shutdown() on an uninitialized DRM device. The initial description explains this mismatch can trigger kernel panics, especially ...

CVE-2022-50265

CVE-2022-50265 pertains to the Linux kernel and concerns data races in the kernel crypto/messaging flow involving kcm->rx_wait and kcm->rx_psock. The description states that kcm->rx_psock can be read locklessly in kcm_rfree(), and the issue was mitigated by annotating the corresponding r...

CVE-2022-50270

This CVE (CVE-2022-50270) affects the Linux kernel f2fs component. The root cause was a faulty iocb assignment in the f2fs_direct_IO_enter trace event: the code only copied the pointer of iocb and then accessed its field during trace printing, which could lead to a kernel paging fault. The fixes ...

CVE-2022-50278

CVE-2022-50278 : In the Linux kernel, a memory leak was introduced in the PNP path by deferring the dynamic allocation of the device name until after pnp_add_id() (the fix was to move dev_set_name() after pnp_add_id()) following commit 1fa5ae857bb1. The vulnerability affects the PNP device naming...

CVE-2022-50280

CVE-2022-50280: In the Linux kernel, propagate_mnt() bug allowed a NULL dereference when terminating peers of a source mount, triggered via mount propagation paths. The issue could be exploited by unprivileged users due to user namespaces. This CVE affects the Linux kernel’s mount propagation han...

CVE-2022-50288

The CVE-2022-50288 issue affects the Linux kernel qlcnic driver: under OOM, qlcnic_dcb_attach() can fail inside qlcnic_dcb_enable(), leading to adapter->dcb being freed while callers still use it via qlcnic_dcb_get_info(), causing a use-after-free. The fix propagates errors from qlcnic_dcb_ena...

CVE-2022-50291

CVE-2022-50291 pertains to the Linux kernel KCM subsystem. Connected advisories describe a data-race in kcm_rfree() related to kcm->rx_psock and an analogous race for kcm->rx_wait, fixed by annotating reads/writes around these fields. The patches address lockless reads in kcm_rfree and ensu...

CVE-2022-50293

CVE-2022-50293 affects the Linux kernel btrfs subsystem. When dropping file extent items for a range, ENOMEM could trigger a BUG_ON() path in btrfs_drop_extents(); the fix replaces those BUG_ON()s with proper transaction abort and error return handling. This means that instead of halting the tran...

CVE-2022-50303

CVE-2022-50303 : The Linux kernel’s DRM AMDGPU/AMDKFD path fixes a double release of a compute pasid. When kfd_process_device_init_vm fails after the VM was converted to a compute VM and vm->pasid was set to the compute pasid, KFD could drop the drm_file reference, causing the close path to re...

CVE-2022-50309

CVE-2022-50309 : Linux kernel vulnerability in media: xilinx: vipp, fixed in the commit that adds balance for refcount in xvip_graph_dma_init. The issue arises because of_get_child_by_name() returns a node pointer with its refcount incremented, and there was no corresponding of_node_put() when th...

CVE-2022-50315

CVE-2022-50315: Linux kernel ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS. The issue arises when sata_pmp_init_links() initializes link->pmp up to SATA_PMP_MAX_PORTS while em_priv is an 8-element array, causing a UBSAN array-index-out-of-bounds in libahci.c. The patch aligns EM_MAX_SL...

CVE-2022-50323

CVE-2022-50323 (Linux kernel) : The vulnerability stems from skb_append_pagefrags() sensing pfmemalloc status for pages owned by user space, triggering a data race reported by KCSAN in the swap/LRU paths. The fix/mitigation is to stop sensing pfmemalloc status for these pages and to use skb_fill_...

CVE-2022-50324

CVE-2022-50324 — The Linux kernel contains a fix in the mtd: maps: pxa2xx-flash subsystem to address a memory leak during probe/remapping. The issue is triggered during probe when remapping an area and could leak memory if not handled properly; the fix frees the ‘info’ structure upon remapping er...

CVE-2022-50337

The CVE-2022-50337 issue affects the Linux kernel OCXL path: get_function_0() calls pci_get_domain_bus_and_slot(), which returns a PCI device with an incremented refcount. If pci_dev_put() is not called, a refcount leak can occur. The fixes add device reference handling and ensure calls to pci_de...

CVE-2022-50355

CVE-2022-50355 affects the Linux kernel staging vt6655 driver. In some initialization paths, memory is allocated with an index variable i, and the subsequent reverse-order cleanup on allocation failure can miss the case i=0 (memory leak) and can start with i=-1 (access to invalid memory). One loo...

CVE-2022-50358

The CVE-2022-50358 issue affects the Linux kernel driver brcmfmac. When the dongle reports an invalid max_flowrings value (greater than 256) during firmware initialization, the host may read an abnormal number and trigger a kernel panic when performing iowrite to initialize the dongle ring. The v...

CVE-2022-50362

CVE-2022-50362 pertains to the Linux kernel DMA engine (hisilicon) where multi-thread access to a DMA channel could cause an OOPS and system hang. The issue arises when multiple threads race to rewrite a channel descriptor after device_issue_pending is called, leading the interrupt handler to pro...

CVE-2022-50365

CVE-2022-50365 pertains to the Linux kernel's skb tail handling during pull operations. The issue can arise when a program uses helpers like BPF_FUNC_skb_pull_data to read content beyond the skb headlen if all fragments are linear, potentially triggering a kernel BUG in net/core/skbuff.c:4219. Th...

CVE-2022-50372

CVE-2022-50372 pertains to the Linux kernel’s CIFS/SMB client: a memory leak occurs when building the ntlmssp negotiate blob during mount of CIFS shares. The issue manifests as an unreferenced object and can lead to a session setup leak if the negotiate blob construction fails. The vulnerability ...

CVE-2022-50383

The CVE-2022-50383 vulnerability affects the Linux kernel media: mediatek: vcodec path. It describes a fix for a race/NULL pointer dereference when latency decoding errors cause the core thread to call v4l2_m2m_buf_done_and_job_finish and free the dst buffer, potentially triggering a NULL pointer...

CVE-2022-50384

CVE-2022-50384 is a Linux kernel vulnerability in staging/vme_user (tsi148_dma_list_add) where an error path could free an entry without removing it from list->entries, risking use-after-free. The connected documents confirm the root cause is the failure to remove &entry->list from list-&gt...

CVE-2022-50385

CVE-2022-50385 affects the Linux kernel NFS automount path: when mounting from an NFSv4 referral, path->dentry can become a negative dentry, so the fix derives the struct nfs_server from the dentry itself. The vulnerability is an Oops (local impact) and is resolved in the kernel by this change...

CVE-2022-50411

CVE-2022-50411 concerns the Linux kernel. A use-after-free vulnerability occurs in the ACPI sub-system: after a failed invocation of acpi_ds_call_control_method(), the thread’s next_walk_state is freed but not popped, causing acpi_ps_parse_aml() to obtain an invalid current walk state. The fix ma...

CVE-2022-50422

CVE-2022-50422 affects the Linux kernel’s SCSI LIBSAS path. When SMP task execution fails, smp_execute_task_sg() calls del_timer() to remove slow_task->timer, but if sas_task_internal_timedout() is running, the timer isn’t stopped, causing a use-after-free of task->slow_task. The fix is to ...

CVE-2022-50476

The CVE-2022-50476 issue concerns ntb_netdev in the Linux kernel where TX/RX callback handlers can run in interrupt context via the DMA framework. The root cause was calling the interrupt-unsafe dev_kfree_skb() from ntb_netdev_tx_handler() and ntb_netdev_rx_handler(); the fix uses the interrupt-c...

CVE-2022-50490

Summary: CVE-2022-50490 affects the Linux kernel bpf path in __htab_map_lookup_and_delete_batch, where a failed htab_lock_bucket() returning -EBUSY could cause silent bucket-skips, out-of-bounds memory access, or kernel memory exposure to userspace. Root cause: error from htab_lock_bucket() not p...

CVE-2022-50503

CVE-2022-50503 affects the Linux kernel component mtd: lpddr2_nvm. The vulnerability is a possible null-ptr-deref in resource_size(add_range) when platform_get_resource() returns NULL. This is triggered in the lpddr2_nvm code path and can lead to a crash/local impact as described. The issue has b...

CVE-2022-50525

The CVE-2022-50525 issue affects the Linux kernel, specifically the iommu/fsl_pamu path. The root cause was in fsl_pamu_probe(): on create_csd() failure, the function returned early, leaving IRQs and memory unreleased. The patch fixes this by jumping to an error-handling path when create_csd() fa...

CVE-2022-50529

CVE-2022-50529 refers to a Linux kernel memory-leak in the test_firmware path. When misc_register() failed in test_firmware_init(), the memory pointed by test_fw_config->name was not released. The leak evidence shows an unreferenced object and a backtrace ending at test_firmware initialization...

CVE-2022-50534

CVE-2022-50534 (Linux kernel, dm thin) : A vulnerability in the dm thin component can trigger an ABBA deadlock between shrinker_rwsem and pmd-root_lock when concurrent drop cache operations and dm thin worker threads run. This may lead to a broken btree with mixed fresh/stale nodes and cause a sy...

CVE-2022-50539

In the Linux kernel, CVE-2022-50539 concerns the ARM OMAP2+ platform, specifically omap4-common. The issue arises in omap4_sram_init() where of_find_compatible_node() can return a node pointer with its refcount already incremented. The underlying root cause is a refcount leak related to node hand...

CVE-2023-53153

The CVE-2023-53153 entry describes a Linux kernel flaw in wifi cfg80211 (wext) where key data in wext.connect isn’t reset on (re)connect, allowing data from a prior connection to linger and potentially enable use-after-free during driver/mac80211 handling. The issue is fixed in the Linux kernel b...

CVE-2023-53172

CVE-2023-53172 concerns the Linux kernel fsverity feature. A change to FS_IOC_ENABLE_VERITY made it read data via __kernel_read() instead of direct pagecache, which made the WARN_ON_ONCE path reachable when the FD was opened with ioctl-only mode (mode 3). The fix is to reject FS_IOC_ENABLE_VERITY...

CVE-2023-53199

CVE-2023-53199 – Linux kernel, wifi: ath9k: hif_usb memory leak in rx stream . Syzkaller reported that when processing skbs in ath9k_hif_usb_rx_stream(), allocated skbs in skb_pool could be leaked if the function fails (e.g., due to an incorrect pkt_len or pkt_tag causing an input skb to be inval...

CVE-2023-53214

Summary (CVE-2023-53214) The issue is in the Linux kernel (F2FS) where __update_iostat_latency() can corrupt memory due to a mixup between META_FLUSH and NR_PAGE_TYPE, leading to a potential buffer/memory corruption. The connected documents indicate a fix that adds an iotype sanity check to preve...

CVE-2023-53230

CVE-2023-53230 concerns the Linux kernel SMB client. The publicly provided docs identify the issue as a fix to a warning in fs/smb/client/cifsfs.c:982 within cifs_smb3_do_mount(), described as a memory‑leak warning reported by the kernel test robot. The connected advisories indicate the patch was...

CVE-2023-53234

The CVE-2023-53234 entry relates to the Linux kernel watchdog subsystem. The attached description and connected Nessus advisories confirm a root-cause: put_device is not called in all code paths when cdev_device_add fails and wdd->id != 0, leading to leaks in watchdog_dev_register paths. The f...

CVE-2023-53253

CVE-2023-53253 affects the Linux kernel HID path for nvidia-shield. The underlying issue is a use-after-free caused by freeing the input_dev name during input_dev unregister, when the name is freed by devres cleanup via input_unregister_device. The mitigation described in the public records is to...

CVE-2023-53256

CVE-2023-53256 resolves a Linux kernel issue in the firmware/arm_ffa path where device names for logical partitions could collide. The root cause was that the device name used by FFA partitions included only the VM ID, while UUIDs were kept in partition info, causing sysfs errors like “cannot cre...

CVE-2023-53273

In the Linux kernel vulnerability CVE-2023-53273, the issue lies in the vmbus driver’s channel handling. The function relid2channel() assumes the vmbus channel array is allocated, but in multi-kernel scenarios (e.g., kdump/kexec), not all relids are reset by the host. If a guest receives a vmbus ...

CVE-2023-53286

CVE-2023-53286 affects the Linux kernel’s RDMA mlx5 path. The issue is: when destroying QP/RQ, the firmware destruction result was ignored, so upper layers could proceed as if destruction succeeded, potentially triggering kernel WARNs. The description specifies that the kernel now returns the fir...

CVE-2023-53307

CVE-2023-53307: In the Linux kernel rbd subsystem, do_rbd_add() can trigger a use-after-free if rbd_dev_create() fails after transferring ownership of rbd_dev fields (rbd_client, spec, opts) to the rbd_dev. The root cause is that these structures are freed when rbd_dev_create() calls rbd_dev_free...

CVE-2023-53308

The CVE-2023-53308 issue is in the Linux kernel net: fec driver handling of pm_runtime_get() failures during removal. When pm_runtime_get() (as pm_runtime_resume_and_get()) fails, the remove callback may return an error, but the driver core ignores it and continues removing the device, causing a ...

CVE-2023-53311

CVE-2023-53311 concerns a use-after-free in nilfs2 within the Linux kernel. The root cause is a UAF on the nilfs_root structure that can occur when inodes are freed from the “garbage_list” during unmount/dispose flows, specifically in a path triggered by iput()->mark_inode_dirty_sync() during ...