CVSS: 5.5EPSS: %CPEs: 3EXPL: 0CVE-2022-49732 – sock: redo the psock vs ULP protection check
https://notcve.org/view.php?id=CVE-2022-49732
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: sock: redo the psock vs ULP protection check Commit 8a59f9d1e3d4 ("sock: Introduce sk->sk_prot->psock_update_sk_prot()") has moved the inet_csk_has_ulp(sk) check from sk_psock_init() to the new tcp_bpf_update_proto() function. I'm guessing that this was done to allow creating psocks for non-inet sockets. Unfortunately the destruction path for psock includes the ULP unwind, so we need to fail the sk_psock_init() itself. Otherwise if ULP is a... • https://git.kernel.org/stable/c/8a59f9d1e3d4340659fdfee8879dc09a6f2546e1 •
CVSS: 5.5EPSS: %CPEs: 8EXPL: 0CVE-2022-49731 – ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo()
https://notcve.org/view.php?id=CVE-2022-49731
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo() In an unlikely (and probably wrong?) case that the 'ppi' parameter of ata_host_alloc_pinfo() points to an array starting with a NULL pointer, there's going to be a kernel oops as the 'pi' local variable won't get reassigned from the initial value of NULL. Initialize 'pi' instead to '&ata_dummy_port_info' to fix the possible kernel oops for good... Found by Linux Verification... • https://git.kernel.org/stable/c/ca4693e6e06e4fd2b240c0fec47aa2498c94848e •
CVSS: 5.5EPSS: %CPEs: 3EXPL: 0CVE-2022-49730 – scsi: lpfc: Resolve NULL ptr dereference after an ELS LOGO is aborted
https://notcve.org/view.php?id=CVE-2022-49730
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Resolve NULL ptr dereference after an ELS LOGO is aborted A use-after-free crash can occur after an ELS LOGO is aborted. Specifically, a nodelist structure is freed and then ndlp->vport->cfg_log_verbose is dereferenced in lpfc_nlp_get() when the discovery state machine is mistakenly called a second time with NLP_EVT_DEVICE_RM argument. Rework lpfc_cmpl_els_logo() to prevent the duplicate calls to release a nodelist structure. In... • https://git.kernel.org/stable/c/5e83869e29448958f8ae2c6911f350318f75e4fc •
CVSS: 5.5EPSS: %CPEs: 8EXPL: 0CVE-2022-49729 – nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred
https://notcve.org/view.php?id=CVE-2022-49729
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred Similar to the handling of play_deferred in commit 19cfe912c37b ("Bluetooth: btusb: Fix memory leak in play_deferred"), we thought a patch might be needed here as well. Currently usb_submit_urb is called directly to submit deferred tx urbs after unanchor them. So the usb_giveback_urb_bh would failed to unref it in usb_unanchor_urb and cause memory leak. Put those urbs in tx_anchor to av... • https://git.kernel.org/stable/c/1eb0afecfb9cd0f38424b82bd9aaa542310934ee •
CVSS: 7.1EPSS: %CPEs: 2EXPL: 0CVE-2022-49728 – ipv6: Fix signed integer overflow in __ip6_append_data
https://notcve.org/view.php?id=CVE-2022-49728
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix signed integer overflow in __ip6_append_data Resurrect ubsan overflow checks and ubsan report this warning, fix it by change the variable [length] type to size_t. UBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19 2147479552 + 8567 cannot be represented in type 'int' CPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x214/0x230 show_stack+0x30/0x78 dump_st... • https://git.kernel.org/stable/c/84dc940890e91e42898e4443a093281702440abf •
CVSS: 7.8EPSS: %CPEs: 8EXPL: 0CVE-2022-49727 – ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
https://notcve.org/view.php?id=CVE-2022-49727
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be overflow. To fix, we can follow what udpv6 does and subtract the transhdrlen from the max. In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be overflow. To fix, we can follow what udpv... • https://git.kernel.org/stable/c/2cf73c7cb6125083408d77f43d0e84d86aed0000 •
CVSS: 5.5EPSS: %CPEs: 5EXPL: 0CVE-2022-49726 – clocksource: hyper-v: unexport __init-annotated hv_init_clocksource()
https://notcve.org/view.php?id=CVE-2022-49726
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: clocksource: hyper-v: unexport __init-annotated hv_init_clocksource() EXPORT_SYMBOL and __init is a bad combination because the .init.text section is freed up after the initialization. Hence, modules cannot use symbols annotated __init. The access to a freed symbol may end up with kernel panic. modpost used to detect it, but it has been broken for a decade. Recently, I fixed modpost so it started to warn it again, then this showed up in lin... • https://git.kernel.org/stable/c/dd2cb348613b44f9d948b068775e159aad298599 •
CVSS: 7.8EPSS: %CPEs: 7EXPL: 0CVE-2022-49725 – i40e: Fix call trace in setup_tx_descriptors
https://notcve.org/view.php?id=CVE-2022-49725
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: Fix call trace in setup_tx_descriptors After PF reset and ethtool -t there was call trace in dmesg sometimes leading to panic. When there was some time, around 5 seconds, between reset and test there were no errors. Problem was that pf reset calls i40e_vsi_close in prep_for_reset and ethtool -t calls i40e_vsi_close in diag_test. If there was not enough time between those commands the second i40e_vsi_close starts before previous i40e_v... • https://git.kernel.org/stable/c/e17bc411aea8fbebc51857037f104ab09f765120 •
CVSS: 5.5EPSS: %CPEs: 7EXPL: 0CVE-2022-49724 – tty: goldfish: Fix free_irq() on remove
https://notcve.org/view.php?id=CVE-2022-49724
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: goldfish: Fix free_irq() on remove Pass the correct dev_id to free_irq() to fix this splat when the driver is unbound: WARNING: CPU: 0 PID: 30 at kernel/irq/manage.c:1895 free_irq Trying to free already-free IRQ 65 Call Trace: warn_slowpath_fmt free_irq goldfish_tty_remove platform_remove device_remove device_release_driver_internal device_driver_detach unbind_store drv_attr_store ... In the Linux kernel, the following vulnerability ha... • https://git.kernel.org/stable/c/465893e18878e119d8d0255439fad8debbd646fd •
CVSS: 5.5EPSS: %CPEs: 4EXPL: 0CVE-2022-49723 – drm/i915/reset: Fix error_state_read ptr + offset use
https://notcve.org/view.php?id=CVE-2022-49723
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/i915/reset: Fix error_state_read ptr + offset use Fix our pointer offset usage in error_state_read when there is no i915_gpu_coredump but buf offset is non-zero. This fixes a kernel page fault can happen when multiple tests are running concurrently in a loop and one is producing engine resets and consuming the i915 error_state dump while the other is forcing full GT resets. (takes a while to trigger). The dmesg call trace: [ 5590.803000... • https://git.kernel.org/stable/c/0e39037b3165567660b0e03f67534da5269a0465 •