CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50709 – wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
https://notcve.org/view.php?id=CVE-2022-50709
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with pkt_len = 0 but ath9k_hif_usb_rx_stream() uses __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb with uninitialized memory and ath9k_htc_rx_msg() is reading fr... • https://git.kernel.org/stable/c/fb9987d0f748c983bb795a86f47522313f701a08 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50708 – HSI: ssi_protocol: fix potential resource leak in ssip_pn_open()
https://notcve.org/view.php?id=CVE-2022-50708
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: fix potential resource leak in ssip_pn_open() ssip_pn_open() claims the HSI client's port with hsi_claim_port(). When hsi_register_port_event() gets some error and returns a negetive value, the HSI client's port should be released with hsi_release_port(). Fix it by calling hsi_release_port() when hsi_register_port_event() fails. • https://git.kernel.org/stable/c/dc7bf5d7186849aa36b9f0e42e250a813a7b0bdb •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50707 – virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session()
https://notcve.org/view.php?id=CVE-2022-50707
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: virtio-crypto: fix memory leak in virtio_crypto_alg_skcipher_close_session() 'vc_ctrl_req' is alloced in virtio_crypto_alg_skcipher_close_session(), and should be freed in the invalid ctrl_status->status error handling case. Otherwise there is a memory leak. • https://git.kernel.org/stable/c/0756ad15b1fef287d4d8fa11bc36ea77a5c42e4a •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50706 – net/ieee802154: don't warn zero-sized raw_sendmsg()
https://notcve.org/view.php?id=CVE-2022-50706
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net/ieee802154: don't warn zero-sized raw_sendmsg() syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1], for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting __dev_queue_xmit() with skb->len == 0. Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was able to return 0, don't call __dev_queue_xmit() if packet length is 0. ---------- #include
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50705 – io_uring/rw: defer fsnotify calls to task context
https://notcve.org/view.php?id=CVE-2022-50705
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring/rw: defer fsnotify calls to task context We can't call these off the kiocb completion as that might be off soft/hard irq context. Defer the calls to when we process the task_work for this request. That avoids valid complaints like: stack backtrace: CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.0.0-rc6-syzkaller-00321-g105a36f3694e #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 Call Trace:... • https://git.kernel.org/stable/c/df1ec53252d5b5b26ea49e30438741c9a6d89857 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50704 – USB: gadget: Fix use-after-free during usb config switch
https://notcve.org/view.php?id=CVE-2022-50704
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix use-after-free during usb config switch In the process of switching USB config from rndis to other config, if the hardware does not support the ->pullup callback, or the hardware encounters a low probability fault, both of them may cause the ->pullup callback to fail, which will then cause a system panic (use after free). The gadget drivers sometimes need to be unloaded regardless of the hardware's behavior. Analysis as fol... • https://git.kernel.org/stable/c/0a55187a1ec8c03d0619e7ce41d10fdc39cff036 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50703 – soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
https://notcve.org/view.php?id=CVE-2022-50703
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() There are two refcount leak bugs in qcom_smsm_probe(): (1) The 'local_node' is escaped out from for_each_child_of_node() as the break of iteration, we should call of_node_put() for it in error path or when it is not used anymore. (2) The 'node' is escaped out from for_each_available_child_of_node() as the 'goto', we should call of_node_put() for it in goto target. The SUSE Linux E... • https://git.kernel.org/stable/c/c97c4090ff72297a878a37715bd301624b71c885 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50702 – vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init()
https://notcve.org/view.php?id=CVE-2022-50702
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: vdpa_sim: fix possible memory leak in vdpasim_net_init() and vdpasim_blk_init() Inject fault while probing module, if device_register() fails in vdpasim_net_init() or vdpasim_blk_init(), but the refcount of kobject is not decreased to 0, the name allocated in dev_set_name() is leaked. Fix this by calling put_device(), so that name can be freed in callback function kobject_cleanup(). (vdpa_sim_net) unreferenced object 0xffff88807eebc370 (siz... • https://git.kernel.org/stable/c/a3c06ae158dd6fa8336157c31d9234689d068d02 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50701 – wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host
https://notcve.org/view.php?id=CVE-2022-50701
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921s: fix slab-out-of-bounds access in sdio host SDIO may need addtional 511 bytes to align bus operation. If the tailroom of this skb is not big enough, we would access invalid memory region. For low level operation, increase skb size to keep valid memory access in SDIO host. Error message: [69.951] BUG: KASAN: slab-out-of-bounds in sg_copy_buffer+0xe9/0x1a0 [69.951] Read of size 64 at addr ffff88811c9cf000 by task kworker/u... • https://git.kernel.org/stable/c/764dee47e2c1ed828c8a51cbf58f89b5e3ded11b •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50700 – wifi: ath10k: Delay the unmapping of the buffer
https://notcve.org/view.php?id=CVE-2022-50700
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: Delay the unmapping of the buffer On WCN3990, we are seeing a rare scenario where copy engine hardware is sending a copy complete interrupt to the host driver while still processing the buffer that the driver has sent, this is leading into an SMMU fault triggering kernel panic. This is happening on copy engine channel 3 (CE3) where the driver normally enqueues WMI commands to the firmware. Upon receiving a copy complete interr... • https://git.kernel.org/stable/c/d390509bdf501c9c8c6e61248e4bc9314c86d854 •