CVE-2023-52699

In the Linux kernel, the following vulnerability has been resolved: sysv: don't call sb_bread() with pointers_lock held syzbot is reporting sleep in atomic context in SysV filesystem [1], forsb_bread() is called with rw_spinlock held. A "write_lock(&pointers_lock) => read_lock(&pointers_lock) de...

CVE-2023-52977

In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix flow memory leak in ovs_flow_cmd_new Syzkaller reports a memory leak of new_flow in ovs_flow_cmd_new() as it isnot freed when an allocation of a key fails. BUG: memory leakunreferenced object 0xffff88811666800...

CVE-2023-52994

In the Linux kernel, the following vulnerability has been resolved: acpi: Fix suspend with Xen PV Commit f1e525009493 ("x86/boot: Skip realmode init code when running asXen PV guest") missed one code path accessing real_mode_header, leadingto dereferencing NULL when suspending the system under Xen:...

CVE-2024-26790

In the Linux kernel, the following vulnerability has been resolved: dmaengine: fsl-qdma: fix SoC may hang on 16 byte unaligned read There is chip (ls1028a) errata: The SoC may hang on 16 byte unaligned read transactions by QDMA. Unaligned read transactions initiated by QDMA may stall in the NOC(Net...

CVE-2024-26800

In the Linux kernel, the following vulnerability has been resolved: tls: fix use-after-free on failed backlog decryption When the decrypt request goes to the backlog and crypto_aead_decryptreturns -EBUSY, tls_do_decryption will wait until all asyncdecryptions have completed. If one of them fails, t...

CVE-2024-26824

In the Linux kernel, the following vulnerability has been resolved: crypto: algif_hash - Remove bogus SGL free on zero-length error path When a zero-length message is hashed by algif_hash, and an erroris triggered, it tries to free an SG list that was never allocatedin the first place. Fix this by ...

CVE-2024-26829

In the Linux kernel, the following vulnerability has been resolved: media: ir_toy: fix a memleak in irtoy_tx When irtoy_command fails, buf should be freed since it is allocated byirtoy_tx, or there is a memleak.

CVE-2024-27435

In the Linux kernel, the following vulnerability has been resolved: nvme: fix reconnection fail due to reserved tag allocation We found a issue on production environment while using NVMe over RDMA,admin_q reconnect failed forever while remote target and network is ok.After dig into it, we found it ...

CVE-2024-38556

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Add a timeout to acquire the command queue semaphore Prevent forced completion handling on an entry that has not yet beenassigned an index, causing an out of bounds access on idx = -22.Instead of waiting indefinitely for ...

CVE-2024-38567

In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: add a proper sanity check for endpoints Syzkaller reports [1] hitting a warning which is caused by presenceof a wrong endpoint type at the URB sumbitting stage. While therewas a check for a specific 4th endpoint, si...

CVE-2024-38633

In the Linux kernel, the following vulnerability has been resolved: serial: max3100: Update uart_driver_registered on driver removal The removal of the last MAX3100 device triggers the removal ofthe driver. However, code doesn't update the respective globalvariable and after insmod — rmmod — insmod...

CVE-2024-38667

In the Linux kernel, the following vulnerability has been resolved: riscv: prevent pt_regs corruption for secondary idle threads Top of the kernel thread stack should be reserved for pt_regs. Howeverthis is not the case for the idle threads of the secondary boot harts.Their stacks overlap with thei...

CVE-2024-39482

In the Linux kernel, the following vulnerability has been resolved: bcache: fix variable length array abuse in btree_iter btree_iter is used in two ways: either allocated on the stack with afixed size MAX_BSETS, or from a mempool with a dynamic size based on thespecific cache set. Previously, the s...

CVE-2024-41017

In the Linux kernel, the following vulnerability has been resolved: jfs: don't walk off the end of ealist Add a check before visiting the members of ea tomake sure each ea stays within the ealist.

CVE-2024-41081

In the Linux kernel, the following vulnerability has been resolved: ila: block BH in ila_output() As explained in commit 1378817486d6 ("tipc: block BHbefore using dst_cache"), net/core/dst_cache.chelpers need to be called with BH disabled. ila_output() is called from lwtunnel_output()possibly from ...

CVE-2024-42122

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL pointer check for kzalloc [Why & How]Check return pointer of kzalloc before using it.

CVE-2024-43867

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: prime: fix refcount underflow Calling nouveau_bo_ref() on a nouveau_bo without initializing it (andhence the backing ttm_bo) leads to a refcount underflow. Instead of calling nouveau_bo_ref() in the unwind path ofdrm_g...

CVE-2024-43890

In the Linux kernel, the following vulnerability has been resolved: tracing: Fix overflow in get_free_elt() "tracing_map->next_elt" in get_free_elt() is at risk of overflowing. Once it overflows, new elements can still be inserted into the tracing_mapeven though the maximum number of elements (m...

CVE-2024-44939

In the Linux kernel, the following vulnerability has been resolved: jfs: fix null ptr deref in dtInsertEntry [syzbot reported]general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTIKASAN: null-ptr-deref in range [0x0000000000000008-0x00000000...

CVE-2024-44954

In the Linux kernel, the following vulnerability has been resolved: ALSA: line6: Fix racy access to midibuf There can be concurrent accesses to line6 midibuf from both the URBcompletion callback and the rawmidi API access. This could be a causeof KMSAN warning triggered by syzkaller below (so put a...

CVE-2024-46691

In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Move unregister out of atomic section Commit '9329933699b3 ("soc: qcom: pmic_glink: Make client-locknon-sleeping")' moved the pmic_glink client list under a spinlock, as itis accessed by the rpmsg/glink callback, ...

CVE-2024-47809

In the Linux kernel, the following vulnerability has been resolved: dlm: fix possible lkb_resource null dereference This patch fixes a possible null pointer dereference when this function iscalled from request_lock() as lkb->lkb_resource is not assigned yet,only after validate_lock_args() by cal...

CVE-2024-48881

In the Linux kernel, the following vulnerability has been resolved: bcache: revert replacing IS_ERR_OR_NULL with IS_ERR again Commit 028ddcac477b ("bcache: Remove unnecessary NULL point check innode allocations") leads a NULL pointer deference in cache_set_flush(). 1721 if (!IS_ERR_OR_NULL(c->ro...

CVE-2024-49919

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check for head_pipe in dcn201_acquire_free_pipe_for_layer This commit addresses a potential null pointer dereference issue in thedcn201_acquire_free_pipe_for_layer function. The issue could occurwhen head_...

CVE-2024-49920

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Check null pointers before multiple uses [WHAT & HOW]Poniters, such as stream_enc and dc->bw_vbios, are null checked previouslyin the same function, so Coverity warns "implies that stream_enc anddc->bw_vbios ...

CVE-2024-49963

In the Linux kernel, the following vulnerability has been resolved: mailbox: bcm2835: Fix timeout during suspend mode During noirq suspend phase the Raspberry Pi power driver suffer offirmware property timeouts. The reason is that the IRQ of the underlyingBCM2835 mailbox is disabled and rpi_firmwar...

CVE-2024-50010

In the Linux kernel, the following vulnerability has been resolved: exec: don't WARN for racy path_noexec check Both i_mode and noexec checks wrapped in WARN_ON stem from an artifactof the previous implementation. They used to legitimately check for thecondition, but that got moved up in two commit...

CVE-2024-50124

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: ISO: Fix UAF on iso_sock_timeout conn->sk maybe have been unlinked/freed while waiting for iso_conn_lockso this checks if the conn->sk is still valid by checking if it part ofiso_sk_list.

CVE-2024-50166

In the Linux kernel, the following vulnerability has been resolved: fsl/fman: Fix refcount handling of fman-related devices In mac_probe() there are multiple calls to of_find_device_by_node(),fman_bind() and fman_port_bind() which takes references to of_dev->dev.Not all references taken by these...

CVE-2024-50183

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Ensure DA_ID handling completion before deleting an NPIV instance Deleting an NPIV instance requires all fabric ndlps to be released beforean NPIV's resources can be torn down. Failure to release fabric ndlpsbeforehand ...

CVE-2024-50246

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add rough attr alloc_size check

CVE-2024-50267

In the Linux kernel, the following vulnerability has been resolved: USB: serial: io_edgeport: fix use after free in debug printk The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb)is a use after free of the "urb" pointer. Store the "dev" pointer at thestart of the function...

CVE-2024-53075

In the Linux kernel, the following vulnerability has been resolved: riscv: Prevent a bad reference count on CPU nodes When populating cache leaves we previously fetched the CPU device nodeat the very beginning. But when ACPI is enabled we go through aspecific branch which returns early and does not...

CVE-2024-53112

In the Linux kernel, the following vulnerability has been resolved: ocfs2: uncache inode which has failed entering the group Syzbot has reported the following BUG: kernel BUG at fs/ocfs2/uptodate.c:509!...Call Trace:? __die_body+0x5f/0xb0? die+0x9e/0xc0? do_trap+0x15a/0x3a0? ocfs2_set_new_buffer_up...

CVE-2024-53151

In the Linux kernel, the following vulnerability has been resolved: svcrdma: Address an integer overflow Dan Carpenter reports: Commit 78147ca8b4a9 ("svcrdma: Add a "parsed chunk list" datastructure") from Jun 22, 2020 (linux-next), leads to the followingSmatch static checker warning: net/sunrpc/xp...

CVE-2024-53226

In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix NULL pointer derefernce in hns_roce_map_mr_sg() ib_map_mr_sg() allows ULPs to specify NULL as the sg_offset argument.The driver needs to check whether it is a NULL pointer beforedereferencing it.

CVE-2024-56545

In the Linux kernel, the following vulnerability has been resolved: HID: hyperv: streamline driver probe to avoid devres issues It was found that unloading 'hid_hyperv' module results in a devrescomplaint: ...hv_vmbus: unregistering driver hid_hyperv------------[ cut here ]------------WARNING: CPU:...

CVE-2024-56577

In the Linux kernel, the following vulnerability has been resolved: media: mtk-jpeg: Fix null-ptr-deref during unload module The workqueue should be destroyed in mtk_jpeg_core.c since commit09aea13ecf6f ("media: mtk-jpeg: refactor some variables"), otherwisethe below calltrace can be easily trigger...

CVE-2024-56694

In the Linux kernel, the following vulnerability has been resolved: bpf: fix recursive lock when verdict program return SK_PASS When the stream_verdict program returns SK_PASS, it places the received skbinto its own receive queue, but a recursive lock eventually occurs, leadingto an operating syste...

CVE-2024-56708

In the Linux kernel, the following vulnerability has been resolved: EDAC/igen6: Avoid segmentation fault on module unload The segmentation fault happens because: During modprobe: In igen6_probe(), igen6_pvt will be allocated with kzalloc() In igen6_register_mci(), mci->pvt_info will point to&ige...

CVE-2024-56715

In the Linux kernel, the following vulnerability has been resolved: ionic: Fix netdev notifier unregister on failure If register_netdev() fails, then the driver leaks the netdev notifier.Fix this by calling ionic_lif_unregister() on register_netdev()failure. This will also call ionic_lif_unregister...

CVE-2024-56723

In the Linux kernel, the following vulnerability has been resolved: mfd: intel_soc_pmic_bxtwc: Use IRQ domain for PMIC devices While design wise the idea of converting the driver to usethe hierarchy of the IRQ chips is correct, the implementationhas (inherited) flaws. This was unveiled when platfor...

CVE-2024-57951

In the Linux kernel, the following vulnerability has been resolved: hrtimers: Handle CPU state correctly on hotplug Consider a scenario where a CPU transitions from CPUHP_ONLINE to halfwaythrough a CPU hotunplug down to CPUHP_HRTIMERS_PREPARE, and then back toCPUHP_ONLINE: Since hrtimers_prepare_cp...

CVE-2024-58010

In the Linux kernel, the following vulnerability has been resolved: binfmt_flat: Fix integer overflow bug on 32 bit systems Most of these sizes and counts are capped at 256MB so the math doesn'tresult in an integer overflow. The "relocs" count needs to be checkedas well. Otherwise on 32bit systems ...

CVE-2024-58020

In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: Add NULL check in mt_input_configured devm_kasprintf() can return a NULL pointer on failure,but thisreturned value in mt_input_configured() is not checked.Add NULL check in mt_input_configured(), to handle kernel N...

CVE-2025-21758

In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: add RCU protection to mld_newpack() mld_newpack() can be called without RTNL or RCU being held. Note that we no longer can use sock_alloc_send_skb() becauseipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Inst...

CVE-2025-21914

In the Linux kernel, the following vulnerability has been resolved: slimbus: messaging: Free transaction ID in delayed interrupt scenario In case of interrupt delay for any reason, slim_do_transfer()returns timeout error but the transaction ID (TID) is not freed.This results into invalid memory acc...

CVE-2025-22060

In the Linux kernel, the following vulnerability has been resolved: net: mvpp2: Prevent parser TCAM memory corruption Protect the parser TCAM/SRAM memory, and the cached (shadow) SRAMinformation, from concurrent modifications. Both the TCAM and SRAM tables are indirectly accessed by configuringan i...

CVE-2025-37749

In the Linux kernel, the following vulnerability has been resolved: net: ppp: Add bound checking for skb data on ppp_sync_txmung Ensure we have enough data in linear buffer from skb before accessinginitial bytes. This prevents potential out-of-bounds accesseswhen processing short packets. When ppp_...

CVE-2025-38000

In the Linux kernel, the following vulnerability has been resolved: sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() When enqueuing the first packet to an HFSC class, hfsc_enqueue() calls thechild qdisc's peek() operation before incrementing sch->q.qlen andsch->qstats.backl...