CVE-2024-46727

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update [Why]Coverity reports NULL_RETURN warning. [How]Add otg_master NULL check.

CVE-2024-46748

In the Linux kernel, the following vulnerability has been resolved: cachefiles: Set the max subreq size for cache writes to MAX_RW_COUNT Set the maximum size of a subrequest that writes to cachefiles to beMAX_RW_COUNT so that we don't overrun the maximum write we can make to thebacking filesystem.

CVE-2024-46767

In the Linux kernel, the following vulnerability has been resolved: net: phy: Fix missing of_node_put() for leds The call of of_get_child_by_name() will cause refcount incrementedfor leds, if it succeeds, it should call of_node_put() to decreaseit, fix it.

CVE-2024-46823

In the Linux kernel, the following vulnerability has been resolved: kunit/overflow: Fix UB in overflow_allocation_test The 'device_name' array doesn't exist out of the'overflow_allocation_test' function scope. However, it is being used asa driver name when calling 'kunit_driver_create' from'kunit_d...

CVE-2024-47662

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Remove register from DCN35 DMCUB diagnostic collection [Why]These registers should not be read from driver and triggering thesecurity violation when DMCUB work times out and diagnostics arecollected blocks Z8 entry...

CVE-2024-49854

In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix uaf for accessing waker_bfqq after splitting After commit 42c306ed7233 ("block, bfq: don't break merge chain inbfq_split_bfqq()"), if the current procress is the last holder of bfqq,the bfqq can be freed after bfq_s...

CVE-2024-50020

In the Linux kernel, the following vulnerability has been resolved: ice: Fix improper handling of refcount in ice_sriov_set_msix_vec_count() This patch addresses an issue with improper reference count handling in theice_sriov_set_msix_vec_count() function. First, the function calls ice_get_vf_by_id...

CVE-2024-50176

In the Linux kernel, the following vulnerability has been resolved: remoteproc: k3-r5: Fix error handling when power-up failed By simply bailing out, the driver was violating its rule and internalassumptions that either both or no rproc should be initialized. E.g.,this could cause the first core to...

CVE-2024-50253

In the Linux kernel, the following vulnerability has been resolved: bpf: Check the validity of nr_words in bpf_iter_bits_new() Check the validity of nr_words in bpf_iter_bits_new(). Without thischeck, when multiplication overflow occurs for nr_bits (e.g., whennr_words = 0x0400-0001, nr_bits becomes...

CVE-2024-50281

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: dcp: fix NULL dereference in AEAD crypto operation When sealing or unsealing a key blob we currently do not wait forthe AEAD cipher operation to finish and simply return after submittingthe request. If there is some ...

CVE-2024-50286

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slab-use-after-free in ksmbd_smb2_session_create There is a race condition between ksmbd_smb2_session_create andksmbd_expire_session. This patch add missing sessions_table_lockwhile adding/deleting session from global se...

CVE-2024-53109

In the Linux kernel, the following vulnerability has been resolved: nommu: pass NULL argument to vma_iter_prealloc() When deleting a vma entry from a maple tree, it has to pass NULL tovma_iter_prealloc() in order to calculate internal state of the tree, butit passed a wrong argument. As a result, n...

CVE-2024-53149

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: glink: fix off-by-one in connector_status UCSI connector's indices start from 1 up to 3, PMIC_GLINK_MAX_PORTS.Correct the condition in the pmic_glink_ucsi_connector_status()callback, fixing Type-C orientation repo...

CVE-2024-54458

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: bsg: Set bsg_queue to NULL after removal Currently, this does not cause any issues, but I believe it is necessary toset bsg_queue to NULL after removing it to prevent potential use-after-free(UAF) access.

CVE-2024-56547

In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix missed RCU barrier on deoffloading Currently, running rcutorture test with torture_type=rcu fwd_progress=8n_barrier_cbs=8 nocbs_nthreads=8 nocbs_toggle=100 onoff_interval=60test_boost=2, will trigger the following war...

CVE-2024-56669

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Remove cache tags before disabling ATS The current implementation removes cache tags after disabling ATS,leading to potential memory leaks and kernel crashes. Specifically,CACHE_TAG_DEVTLB type cache tags may still rema...

CVE-2024-56676

In the Linux kernel, the following vulnerability has been resolved: thermal: testing: Initialize some variables annoteded with _free() Variables annotated with __free() need to be initialized if the functioncan return before they get updated for the first time or the attempt tofree the memory point...

CVE-2024-58094

In the Linux kernel, the following vulnerability has been resolved: jfs: add check read-only before truncation in jfs_truncate_nolock() Added a check for "read-only" mode in the jfs_truncate_nolockfunction to avoid errors related to writing to a read-onlyfilesystem. Call stack: block_write_begin() ...

CVE-2025-21754

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix assertion failure when splitting ordered extent after transaction abort If while we are doing a direct IO write a transaction abort happens, wemark all existing ordered extents with the BTRFS_ORDERED_IOERR flag (doneat b...

CVE-2025-21768

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: fix dst ref loops in rpl, seg6 and ioam6 lwtunnels Some lwtunnels have a dst cache for post-transformation dst.If the packet destination did not change we may end up recordinga reference to the lwtunnel in its own cache,...

CVE-2025-21886

In the Linux kernel, the following vulnerability has been resolved: RDMA/mlx5: Fix implicit ODP hang on parent deregistration Fix the destroy_unused_implicit_child_mr() to prevent hanging duringparent deregistration as of below [1]. Upon entering destroy_unused_implicit_child_mr(), the reference co...

CVE-2025-21972

In the Linux kernel, the following vulnerability has been resolved: net: mctp: unshare packets when reassembling Ensure that the frag_list used for reassembly isn't shared with otherpackets. This avoids incorrect reassembly when packets are cloned, andprevents a memory leak due to circular referenc...

CVE-2025-21986

In the Linux kernel, the following vulnerability has been resolved: net: switchdev: Convert blocking notification chain to a raw one A blocking notification chain uses a read-write semaphore to protect theintegrity of the chain. The semaphore is acquired for writing whenadding / removing notifiers ...

CVE-2025-22049

In the Linux kernel, the following vulnerability has been resolved: LoongArch: Increase ARCH_DMA_MINALIGN up to 16 ARCH_DMA_MINALIGN is 1 by default, but some LoongArch-specific devices(such as APBDMA) require 16 bytes alignment. When the data buffer lengthis too small, the hardware may make an err...

CVE-2025-22052

In the Linux kernel, the following vulnerability has been resolved: staging: gpib: Fix Oops after disconnect in ni_usb If the usb dongle is disconnected subsequent calls to thedriver cause a NULL dereference Oops as the bus_interfaceis set to NULL on disconnect. This problem was introduced by setti...

CVE-2025-37761

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix an out-of-bounds shift when invalidating TLB When the size of the range invalidated is larger thanrounddown_pow_of_two(ULONG_MAX),The function macro roundup_pow_of_two(length) will hit an out-of-boundsshift [1]. Use a f...

CVE-2025-37791

In the Linux kernel, the following vulnerability has been resolved: ethtool: cmis_cdb: use correct rpl size in ethtool_cmis_module_poll() rpl is passed as a pointer to ethtool_cmis_module_poll(), so the correctsize of rpl is sizeof(*rpl) which should be just 1 byte. Using thepointer size instead ca...

CVE-2025-37801

In the Linux kernel, the following vulnerability has been resolved: spi: spi-imx: Add check for spi_imx_setupxfer() Add check for the return value of spi_imx_setupxfer().spi_imx->rx and spi_imx->tx function pointer can be NULL whenspi_imx_setupxfer() return error, and make NULL pointer derefe...

CVE-2025-38049

In the Linux kernel, the following vulnerability has been resolved: x86/resctrl: Fix allocation of cleanest CLOSID on platforms with no monitors Commit 6eac36bb9eb0 ("x86/resctrl: Allocate the cleanest CLOSID by searching closid_num_dirty_rmid") added logic that causes resctrl to search for the CLO...

CVE-2007-1388

The do_ipv6_setsockopt function in net/ipv6/ipv6_sockglue.c in Linux kernel before 2.6.20, and possibly other versions, allows local users to cause a denial of service (oops) by calling setsockopt with the IPV6_RTHDR option name and possibly a zero option length or invalid option value, which trigg...

CVE-2011-3619

The apparmor_setprocattr function in security/apparmor/lsm.c in the Linux kernel before 3.0 does not properly handle invalid parameters, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact by writing to a /proc/#####/at...

CVE-2012-6536

net/xfrm/xfrm_user.c in the Linux kernel before 3.6 does not verify that the actual Netlink message length is consistent with a certain header field, which allows local users to obtain sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability and providing a (1) new o...

CVE-2013-4512

Buffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation.

CVE-2016-9120

Race condition in the ion_ioctl function in drivers/staging/android/ion/ion.c in the Linux kernel before 4.6 allows local users to gain privileges or cause a denial of service (use-after-free) by calling ION_IOC_FREE on two CPUs at the same time.

CVE-2021-47121

In the Linux kernel, the following vulnerability has been resolved: net: caif: fix memory leak in cfusbl_device_notify In case of caif_enroll_dev() fail, allocatedlink_support won't be assigned to the correspondingstructure. So simply free allocated pointer in caseof error.

CVE-2021-47125

In the Linux kernel, the following vulnerability has been resolved: sch_htb: fix refcount leak in htb_parent_to_leaf_offload The commit ae81feb7338c ("sch_htb: fix null pointer dereferenceon a null new_q") fixes a NULL pointer dereference bug, but itis not correct. Because htb_graft_helper properly...

CVE-2021-47199

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: CT, Fix multiple allocations and memleak of mod acts CT clear action offload adds additional mod hdr actions to theflow's original mod actions in order to clear the registers whichhold ct_state.When such flow also includ...

CVE-2021-47240

In the Linux kernel, the following vulnerability has been resolved: net: qrtr: fix OOB Read in qrtr_endpoint_post Syzbot reported slab-out-of-bounds Read inqrtr_endpoint_post. The problem was in wrongsize type: if (len != ALIGN(size, 4) + hdrlen) goto err; If size from qrtr_hdr is 4294967293 (0xfff...

CVE-2021-47282

In the Linux kernel, the following vulnerability has been resolved: spi: bcm2835: Fix out-of-bounds access with more than 4 slaves Commit 571e31fa60b3 ("spi: bcm2835: Cache CS register value for->prepare_message()") limited the number of slaves to 3 at compile-time.The limitation was necessitate...

CVE-2021-47470

In the Linux kernel, the following vulnerability has been resolved: mm, slub: fix potential use-after-free in slab_debugfs_fops When sysfs_slab_add failed, we shouldn't call debugfs_slab_add() for sbecause s will be freed soon. And slab_debugfs_fops will use s laterleading to a use-after-free.

CVE-2021-47514

In the Linux kernel, the following vulnerability has been resolved: devlink: fix netns refcount leak in devlink_nl_cmd_reload() While preparing my patch series adding netns refcount tracking,I spotted bugs in devlink_nl_cmd_reload() Some error paths forgot to release a refcount on a netns. To fix t...

CVE-2021-47519

In the Linux kernel, the following vulnerability has been resolved: can: m_can: m_can_read_fifo: fix memory leak in error branch In m_can_read_fifo(), if the second call to m_can_fifo_read() fails,the function jump to the out_fail label and returns without callingm_can_receive_skb(). This means tha...

CVE-2021-47528

In the Linux kernel, the following vulnerability has been resolved: usb: cdnsp: Fix a NULL pointer dereference in cdnsp_endpoint_init() In cdnsp_endpoint_init(), cdnsp_ring_alloc() is assigned to pep->ringand there is a dereference of it in cdnsp_endpoint_init(), which couldlead to a NULL pointe...

CVE-2021-47532

In the Linux kernel, the following vulnerability has been resolved: drm/msm/devfreq: Fix OPP refcnt leak

CVE-2021-47613

In the Linux kernel, the following vulnerability has been resolved: i2c: virtio: fix completion handling The driver currently assumes that the notify callback is only receivedwhen the device is done with all the queued buffers. However, this is not true, since the notify callback could be calledwit...

CVE-2022-3170

An out-of-bounds access issue was found in the Linux kernel sound subsystem. It could occur when the 'id->name' provided by the user did not end with '\0'. A privileged local user could pass a specially crafted name through ioctl() interface and crash the system or potentially escalate their pri...

CVE-2022-3541

A vulnerability classified as critical has been found in Linux Kernel. This affects the function spl2sw_nvmem_get_mac_address of the file drivers/net/ethernet/sunplus/spl2sw_driver.c of the component BPF. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue...

CVE-2022-3595

A vulnerability was found in Linux Kernel. It has been rated as problematic. Affected by this issue is the function sess_free_buffer of the file fs/cifs/sess.c of the component CIFS Handler. The manipulation leads to double free. It is recommended to apply a patch to fix this issue. The identifier ...

CVE-2022-48807

In the Linux kernel, the following vulnerability has been resolved: ice: Fix KASAN error in LAG NETDEV_UNREGISTER handler Currently, the same handler is called for both a NETDEV_BONDING_INFOLAG unlink notification as for a NETDEV_UNREGISTER call. This iscausing a problem though, since the netdev_no...

CVE-2022-48813

In the Linux kernel, the following vulnerability has been resolved: net: dsa: felix: don't use devres for mdiobus As explained in commits:74b6d7d13307 ("net: dsa: realtek: register the MDIO bus under devres")5135e96a3dd2 ("net: dsa: don't allocate the slave_mii_bus using devres") mdiobus_free() wil...