CVE-2022-50127

In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix error unwind in rxe_create_qp() In the function rxe_create_qp(), rxe_qp_from_init() is called toinitialize qp, internally things like the spin locks are not setup untilrxe_qp_init_req(). If an error occures before thi...

CVE-2022-50134

In the Linux kernel, the following vulnerability has been resolved: RDMA/hfi1: fix potential memory leak in setup_base_ctxt() setup_base_ctxt() allocates a memory chunk for uctxt->groups withhfi1_alloc_ctxt_rcv_groups(). When init_user_ctxt() fails, uctxt->groupsis not released, which will le...

CVE-2022-50149

In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential deadlock in __driver_attach In __driver_attach function, There are also AA deadlock problem,like the commit b232b02bf3c2 ("driver core: fix deadlock in__device_attach"). stack like commit b232b02bf3c2 ("d...

CVE-2022-50158

In the Linux kernel, the following vulnerability has been resolved: mtd: partitions: Fix refcount leak in parse_redboot_of of_get_child_by_name() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid refcount leak...

CVE-2022-50159

In the Linux kernel, the following vulnerability has been resolved: of: check previous kernel's ima-kexec-buffer against memory bounds Presently ima_get_kexec_buffer() doesn't check if the previous kernel'sima-kexec-buffer lies outside the addressable memory range. This can resultin a kernel panic ...

CVE-2022-50169

In the Linux kernel, the following vulnerability has been resolved: wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() The simple_write_to_buffer() function will succeed if even a singlebyte is initialized. However, we need to initialize the whole bufferto prevent information leaks. Just...

CVE-2022-50176

In the Linux kernel, the following vulnerability has been resolved: drm/mcde: Fix refcount leak in mcde_dsi_bind Every iteration of for_each_available_child_of_node() decrementsthe reference counter of the previous node. There is no decrementwhen break out from the loop and results in refcount leak...

CVE-2022-50222

In the Linux kernel, the following vulnerability has been resolved: tty: vt: initialize unicode screen buffer syzbot reports kernel infoleak at vcs_read() [1], for buffer can be readimmediately after resize operation. Initialize buffer using kzalloc(). #include #include #include #include int main(...

CVE-2022-50231

In the Linux kernel, the following vulnerability has been resolved: crypto: arm64/poly1305 - fix a read out-of-bound A kasan error was reported during fuzzing: BUG: KASAN: slab-out-of-bounds in neon_poly1305_blocks.constprop.0+0x1b4/0x250 [poly1305_neon]Read of size 4 at addr ffff0010e293f010 by ta...

CVE-2024-57992

In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: unregister wiphy only if it has been registered There is a specific error path in probe functions in wilc drivers (bothsdio and spi) which can lead to kernel panic, as this one for examplewhen using SPI: Unable to h...

CVE-2025-37894

In the Linux kernel, the following vulnerability has been resolved: net: use sock_gen_put() when sk_state is TCP_TIME_WAIT It is possible for a pointer of type struct inet_timewait_sock to bereturned from the functions __inet_lookup_established() and__inet6_lookup_established(). This can cause a cr...

CVE-2025-37895

In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix error handling path in bnxt_init_chip() WARN_ON() is triggered in __flush_work() if bnxt_init_chip() failsbecause we call cancel_work_sync() on dim work that has not beeninitialized. WARNING: CPU: 37 PID: 5223 at kerne...

CVE-2025-37906

In the Linux kernel, the following vulnerability has been resolved: ublk: fix race between io_uring_cmd_complete_in_task and ublk_cancel_cmd ublk_cancel_cmd() calls io_uring_cmd_done() to complete uring_cmd, butwe may have scheduled task work via io_uring_cmd_complete_in_task() fordispatching reque...

CVE-2025-37919

In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp: Fix NULL pointer deref in acp_i2s_set_tdm_slot Update chip data using dev_get_drvdata(dev->parent) to fixNULL pointer deref in acp_i2s_set_tdm_slot.

CVE-2025-37971

In the Linux kernel, the following vulnerability has been resolved: staging: bcm2835-camera: Initialise dev in v4l2_dev Commit 42a2f6664e18 ("staging: vc04_services: Move global g_state tovchiq_state") changed mmal_init to pass dev->v4l2_dev.dev tovchiq_mmal_init, however nothing iniitialised de...

CVE-2025-38007

In the Linux kernel, the following vulnerability has been resolved: HID: uclogic: Add NULL check in uclogic_input_configured() devm_kasprintf() returns NULL when memory allocation fails. Currently,uclogic_input_configured() does not check for this case, which resultsin a NULL pointer dereference. A...

CVE-2025-38015

In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix memory leak in error handling path of idxd_alloc Memory allocated for idxd is not freed if an error occurs duringidxd_alloc(). To fix it, free the allocated memory in the reverse orderof allocation before exiti...

CVE-2025-38020

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Disable MACsec offload for uplink representor profile MACsec offload is not supported in switchdev mode for uplinkrepresentors. When switching to the uplink representor profile, theMACsec offload feature must be cleared ...

CVE-2025-38022

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix "KASAN: slab-use-after-free Read in ib_register_device" problem Call Trace: __dump_stack lib/dump_stack.c:94 [inline]dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120print_address_description mm/kasan/report.c:408 [inl...

CVE-2025-38031

In the Linux kernel, the following vulnerability has been resolved: padata: do not leak refcount in reorder_work A recent patch that addressed a UAF introduced a reference count leak:the parallel_data refcount is incremented unconditionally, regardlessof the return value of queue_work(). If the wor...

CVE-2025-38068

In the Linux kernel, the following vulnerability has been resolved: crypto: lzo - Fix compression buffer overrun Unlike the decompression code, the compression code in LZO neverchecked for output overruns. It instead assumes that the calleralways provides enough buffer space, disregarding the buffe...

CVE-2025-38080

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why]It's possible to generate more than 50 steps in hwss_build_fast_sequence,for example with a 6-pipe asic where all pipes are in one MPC chain. Thisoverflows the block_sequence...

CVE-2025-38081

In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects.GPIOs can be numbered much higher than native CS.Also, it makes no sense.

CVE-2025-38087

In the Linux kernel, the following vulnerability has been resolved: net/sched: fix use-after-free in taprio_dev_notifier Since taprio’s taprio_dev_notifier() isn’t protected by anRCU read-side critical section, a race with advance_sched()can lead to a use-after-free. Adding rcu_read_lock() inside t...

CVE-2025-38212

In the Linux kernel, the following vulnerability has been resolved: ipc: fix to protect IPCS lookups using RCU syzbot reported that it discovered a use-after-free vulnerability, 0 idr_for_each() is protected by rwsem, but this is not enough. If it isnot protected by RCU read-critical region, when i...

CVE-2025-38214

In the Linux kernel, the following vulnerability has been resolved: fbdev: Fix fb_set_var to prevent null-ptr-deref in fb_videomode_to_var If fb_add_videomode() in fb_set_var() fails to allocate memory forfb_videomode, later it may lead to a null-ptr dereference infb_videomode_to_var(), as the fb_i...

CVE-2025-38234

In the Linux kernel, the following vulnerability has been resolved: sched/rt: Fix race in push_rt_task Overview When a CPU chooses to call push_rt_task and picks a task to push toanother CPU's runqueue then it will call find_lock_lowest_rq methodwhich would take a double lock on both CPUs' runqueue...

CVE-2022-49942

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected When we are not connected to a channel, sending channel "switch"announcement doesn't make any sense. The BSS list is empty in that case. This causes the for l...

CVE-2022-49948

In the Linux kernel, the following vulnerability has been resolved: vt: Clear selection before changing the font When changing the console font with ioctl(KDFONTOP) the new font sizecan be bigger than the previous font. A previous selection may thus nowbe outside of the new screen size and thus tri...

CVE-2022-49952

In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix memory corruption on probe Add the missing sanity check on the probed-session count to avoidcorrupting memory beyond the fixed-size slab-allocated session arraywhen there are more than FASTRPC_MAX_SESSIONS sessio...

CVE-2022-49957

In the Linux kernel, the following vulnerability has been resolved: kcm: fix strp_init() order and cleanup strp_init() is called just a few lines above this csk->sk_user_datacheck, it also initializes strp->work etc., therefore, it isunnecessary to call strp_done() to cancel the freshly initi...

CVE-2022-49964

In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level Though acpi_find_last_cache_level() always returned signed value and thedocument states it will return any errors caused by lack of a PPTT table,...

CVE-2022-49973

In the Linux kernel, the following vulnerability has been resolved: skmsg: Fix wrong last sg check in sk_msg_recvmsg() Fix one kernel NULL pointer dereference as below: [ 224.462334] Call Trace:[ 224.462394] __tcp_bpf_recvmsg+0xd3/0x380[ 224.462441] ? sock_has_perm+0x78/0xa0[ 224.462463] tcp_bpf_re...

CVE-2022-50011

In the Linux kernel, the following vulnerability has been resolved: venus: pm_helpers: Fix warning in OPP during probe Fix the following WARN triggered during Venus driver probe on5.19.0-rc8-next-20220728: WARNING: CPU: 7 PID: 339 at drivers/opp/core.c:2471 dev_pm_opp_set_config+0x49c/0x610Modules ...

CVE-2022-50021

In the Linux kernel, the following vulnerability has been resolved: ext4: block range must be validated before use in ext4_mb_clear_bb() Block range to free is validated in ext4_free_blocks() usingext4_inode_block_valid() and then it's passed to ext4_mb_clear_bb().However in some situations on biga...

CVE-2022-50024

In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw-axi-dmac: do not print NULL LLI during error During debugging we have seen an issue where axi_chan_dump_lli()is passed a NULL LLI pointer which ends up causing an OOPS dueto trying to get fields from it. Simply print ...

CVE-2022-50028

In the Linux kernel, the following vulnerability has been resolved: gadgetfs: ep_io - wait until IRQ finishes after usb_ep_queue() if wait_for_completion_interruptible() isinterrupted we need to wait until IRQ gets finished. Otherwise complete() from epio_complete() can corrupt stack.

CVE-2022-50030

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Prevent buffer overflow crashes in debugfs with malformed user input Malformed user input to debugfs results in buffer overflow crashes. Adaptinput string lengths to fit within internal buffers, leaving space for NULLte...

CVE-2022-50097

In the Linux kernel, the following vulnerability has been resolved: video: fbdev: s3fb: Check the size of screen before memset_io() In the function s3fb_set_par(), the value of 'screen_size' iscalculated by the user input. If the user provides the improper value,the value of 'screen_size' may large...

CVE-2022-50103

In the Linux kernel, the following vulnerability has been resolved: sched, cpuset: Fix dl_cpu_busy() panic due to empty cs->cpus_allowed With cgroup v2, the cpuset's cpus_allowed mask can be empty indicatingthat the cpuset will just use the effective CPUs of its parent. Socpuset_can_attach() can...

CVE-2022-50108

In the Linux kernel, the following vulnerability has been resolved: mfd: max77620: Fix refcount leak in max77620_initialise_fps of_get_child_by_name() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid refcount...

CVE-2022-50118

In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Optimize clearing the pending PMI and remove WARN_ON for PMI check in power_pmu_disable commit 2c9ac51b850d ("powerpc/perf: Fix PMU callbacks to clearpending PMI before resetting an overflown PMC") added a newfunction...

CVE-2022-50131

In the Linux kernel, the following vulnerability has been resolved: HID: mcp2221: prevent a buffer overflow in mcp_smbus_write() Smatch Warning:drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() error: __memcpy()'&mcp->txbuf[5]' too small (59 vs 255)drivers/hid/hid-mcp2221.c:388 mcp_smbus_write() e...

CVE-2022-50140

In the Linux kernel, the following vulnerability has been resolved: memstick/ms_block: Fix a memory leak 'erased_blocks_bitmap' is never freed. As it is allocated at the same timeas 'used_blocks_bitmap', it is likely that it should be freed also at thesame time. Add the corresponding bitmap_free() ...

CVE-2022-50155

In the Linux kernel, the following vulnerability has been resolved: mtd: parsers: ofpart: Fix refcount leak in bcm4908_partitions_fw_offset of_find_node_by_path() returns a node pointer with refcount incremented,we should use of_node_put() on it when not need anymore.Add missing of_node_put() to av...

CVE-2022-50156

In the Linux kernel, the following vulnerability has been resolved: HID: cp2112: prevent a buffer overflow in cp2112_xfer() Smatch warnings:drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy()'data->block[1]' too small (33 vs 255)drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy...

CVE-2022-50160

In the Linux kernel, the following vulnerability has been resolved: mtd: maps: Fix refcount leak in ap_flash_init of_find_matching_node() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid refcount leak.

CVE-2022-50185

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() The last case label can write two buffers 'mc_reg_address[j]' and'mc_data[j]' with 'j' offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZEsince there are no...

CVE-2022-50209

In the Linux kernel, the following vulnerability has been resolved: meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init of_find_matching_node() returns a node pointer with refcountincremented, we should use of_node_put() on it when not need anymore.Add missing of_node_put() to avoid refcou...

CVE-2022-50218

In the Linux kernel, the following vulnerability has been resolved: iio: light: isl29028: Fix the warning in isl29028_remove() The driver use the non-managed form of the register function inisl29028_remove(). To keep the release order as mirroring the orderingin probe, the driver should use non-man...