CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-38086 – net: ch9200: fix uninitialised access during mii_nway_restart
https://notcve.org/view.php?id=CVE-2025-38086
28 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net: ch9200: fix uninitialised access during mii_nway_restart In mii_nway_restart() the code attempts to call mii->mdio_read which is ch9200_mdio_read(). ch9200_mdio_read() utilises a local buffer called "buff", which is initialised with control_read(). However "buff" is conditionally initialised inside control_read(): if (err == size) { memcpy(data, buf, size); } If the condition of "err == size" is not met, then "buff" remains uninitialis... • https://git.kernel.org/stable/c/4a476bd6d1d923922ec950ddc4c27b279f6901eb •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38085 – mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race
https://notcve.org/view.php?id=CVE-2025-38085
28 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race huge_pmd_unshare() drops a reference on a page table that may have previously been shared across processes, potentially turning it into a normal page table used in another process in which unrelated VMAs can afterwards be installed. If this happens in the middle of a concurrent gup_fast(), gup_fast() could end up walking the page tables of another process. While I don't see any way in whic... • https://git.kernel.org/stable/c/39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa •
CVSS: 5.6EPSS: 0%CPEs: 7EXPL: 0CVE-2025-38084 – mm/hugetlb: unshare page tables during VMA split, not before
https://notcve.org/view.php?id=CVE-2025-38084
28 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: unshare page tables during VMA split, not before Currently, __split_vma() triggers hugetlb page table unsharing through vm_ops->may_split(). This happens before the VMA lock and rmap locks are taken - which is too early, it allows racing VMA-locked page faults in our process and racing rmap walks from other processes to cause page tables to be shared again before we actually perform the split. Fix it by explicitly calling into t... • https://git.kernel.org/stable/c/39dde65c9940c97fcd178a3d2b1c57ed8b7b68aa •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50229 – ALSA: bcd2000: Fix a UAF bug on the error path of probing
https://notcve.org/view.php?id=CVE-2022-50229
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: bcd2000: Fix a UAF bug on the error path of probing When the driver fails in snd_card_register() at probe time, it will free the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug. The following log can reveal it: [ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000] [ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0 [ 50.729530] Call Trace: [ 50.732899] bcd20... • https://git.kernel.org/stable/c/b47a22290d581277be70e8a597824a4985d39e83 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50228 – KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
https://notcve.org/view.php?id=CVE-2022-50228
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 Don't BUG/WARN on interrupt injection due to GIF being cleared, since it's trivial for userspace to force the situation via KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct for KVM internally generated injections). kernel BUG at arch/x86/kvm/svm/svm.c:3386! invalid opcode: 0000 [#1] SMP CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264 Hard... • https://git.kernel.org/stable/c/219b65dcf6c0bad83d51bfa12e25891c02de2414 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-50224 – KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT
https://notcve.org/view.php?id=CVE-2022-50224
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: Treat NX as a valid SPTE bit for NPT Treat the NX bit as valid when using NPT, as KVM will set the NX bit when the NX huge page mitigation is enabled (mindblowing) and trigger the WARN that fires on reserved SPTE bits being set. KVM has required NX support for SVM since commit b26a71a1a5b9 ("KVM: SVM: Refuse to load kvm_amd if NX support is not available") for exactly this reason, but apparently it never occurred to anyone to ... • https://git.kernel.org/stable/c/6271f2854b9233702e236e576b885a876dde4889 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-50222 – tty: vt: initialize unicode screen buffer
https://notcve.org/view.php?id=CVE-2022-50222
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: vt: initialize unicode screen buffer syzbot reports kernel infoleak at vcs_read() [1], for buffer can be read immediately after resize operation. Initialize buffer using kzalloc(). ---------- #include
CVSS: 6.6EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50220 – usbnet: Fix linkwatch use-after-free on disconnect
https://notcve.org/view.php?id=CVE-2022-50220
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: Fix linkwatch use-after-free on disconnect usbnet uses the work usbnet_deferred_kevent() to perform tasks which may sleep. On disconnect, completion of the work was originally awaited in ->ndo_stop(). But in 2003, that was moved to ->disconnect() by historic commit "[PATCH] USB: usbnet, prevent exotic rtnl deadlock": https://git.kernel.org/tglx/history/c/0f138bbfd83c The change was made because back then, the kernel's workqueue impl... • https://git.kernel.org/stable/c/d2d6b530d89b0a912148018027386aa049f0a309 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50215 – scsi: sg: Allow waiting for commands to complete on removed device
https://notcve.org/view.php?id=CVE-2022-50215
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: sg: Allow waiting for commands to complete on removed device When a SCSI device is removed while in active use, currently sg will immediately return -ENODEV on any attempt to wait for active commands that were sent before the removal. This is problematic for commands that use SG_FLAG_DIRECT_IO since the data buffer may still be in use by the kernel when userspace frees or reuses it after getting ENODEV, leading to corrupted userspace ... • https://git.kernel.org/stable/c/bbc118acf7baf9e93c5e1314d14f481301af4d0f •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-50213 – netfilter: nf_tables: do not allow SET_ID to refer to another table
https://notcve.org/view.php?id=CVE-2022-50213
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: do not allow SET_ID to refer to another table When doing lookups for sets on the same batch by using its ID, a set from a different table can be used. Then, when the table is removed, a reference to the set may be kept after the set is freed, leading to a potential use-after-free. When looking for sets by ID, use the table that was used for the lookup by name, and only return sets belonging to that same table. This fix... • https://git.kernel.org/stable/c/958bee14d0718ca7a5002c0f48a099d1d345812a •