CVSS: 6.9EPSS: %CPEs: 10EXPL: 0CVE-2022-49505 – NFC: NULL out the dev->rfkill to prevent UAF
https://notcve.org/view.php?id=CVE-2022-49505
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: NFC: NULL out the dev->rfkill to prevent UAF Commit 3e3b5dfcd16a ("NFC: reorder the logic in nfc_{un,}register_device") assumes the device_is_registered() in function nfc_dev_up() will help to check when the rfkill is unregistered. However, this check only take effect when device_del(&dev->dev) is done in nfc_unregister_device(). Hence, the rfkill object is still possible be dereferenced. The crash trace in latest kernel (5.18-rc2): [ 68.76... • https://git.kernel.org/stable/c/ff169909eac9e00bf1aa0af739ba6ddfb1b1d135 •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2022-49504 – scsi: lpfc: Inhibit aborts if external loopback plug is inserted
https://notcve.org/view.php?id=CVE-2022-49504
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Inhibit aborts if external loopback plug is inserted After running a short external loopback test, when the external loopback is removed and a normal cable inserted that is directly connected to a target device, the system oops in the llpfc_set_rrq_active() routine. When the loopback was inserted an FLOGI was transmit. As we're looped back, we receive the FLOGI request. The FLOGI is ABTS'd as we recognize the same wppn thus unde... • https://git.kernel.org/stable/c/a1516930cb605caee3bc7b4f3b7994b88c0b8505 •
CVSS: 7.1EPSS: %CPEs: 9EXPL: 0CVE-2022-49503 – ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix
https://notcve.org/view.php?id=CVE-2022-49503
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix The "rxstatus->rs_keyix" eventually gets passed to test_bit() so we need to ensure that it is within the bitmap. drivers/net/wireless/ath/ath9k/common.c:46 ath9k_cmn_rx_accept() error: passing untrusted data 'rx_stats->rs_keyix' to 'test_bit()' In the Linux kernel, the following vulnerability has been resolved: ath9k_htc: fix potential out of bounds access with in... • https://git.kernel.org/stable/c/4ed1a8d4a25711f780b96920fff2bb531229e322 •
CVSS: 7.8EPSS: %CPEs: 5EXPL: 0CVE-2022-49502 – media: rga: fix possible memory leak in rga_probe
https://notcve.org/view.php?id=CVE-2022-49502
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: media: rga: fix possible memory leak in rga_probe rga->m2m_dev needs to be freed when rga_probe fails. • https://git.kernel.org/stable/c/8ddc89437ccefa18279918c19a61fd81527f40b9 •
CVSS: 7.1EPSS: %CPEs: 4EXPL: 0CVE-2022-49501 – usbnet: Run unregister_netdev() before unbind() again
https://notcve.org/view.php?id=CVE-2022-49501
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usbnet: Run unregister_netdev() before unbind() again Commit 2c9d6c2b871d ("usbnet: run unbind() before unregister_netdev()") sought to fix a use-after-free on disconnect of USB Ethernet adapters. It turns out that a different fix is necessary to address the issue: https://lore.kernel.org/netdev/18b3541e5372bc9b9fc733d422f4e698c089077c.1650177997.git.lukas@wunner.de/ So the commit was not necessary. The commit made binding and unbinding of ... • https://git.kernel.org/stable/c/6d5deb242874d924beccf7eb3cef04c1c3b0da79 •
CVSS: 7.8EPSS: %CPEs: 5EXPL: 0CVE-2022-49497 – net: remove two BUG() from skb_checksum_help()
https://notcve.org/view.php?id=CVE-2022-49497
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: remove two BUG() from skb_checksum_help() I have a syzbot report that managed to get a crash in skb_checksum_help() If syzbot can trigger these BUG(), it makes sense to replace them with more friendly WARN_ON_ONCE() since skb_checksum_help() can instead return an error code. Note that syzbot will still crash there, until real bug is fixed. In the Linux kernel, the following vulnerability has been resolved: net: remove two BUG() from sk... • https://git.kernel.org/stable/c/312c43e98ed190bd8fd7a71a0addf9539d5b8ab1 •
CVSS: 5.5EPSS: %CPEs: 2EXPL: 0CVE-2022-49496 – media: mediatek: vcodec: prevent kernel crash when rmmod mtk-vcodec-dec.ko
https://notcve.org/view.php?id=CVE-2022-49496
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: prevent kernel crash when rmmod mtk-vcodec-dec.ko If the driver support subdev mode, the parameter "dev->pm.dev" will be NULL in mtk_vcodec_dec_remove. Kernel will crash when try to rmmod mtk-vcodec-dec.ko. [ 4380.702726] pc : do_raw_spin_trylock+0x4/0x80 [ 4380.707075] lr : _raw_spin_lock_irq+0x90/0x14c [ 4380.711509] sp : ffff80000819bc10 [ 4380.714811] x29: ffff80000819bc10 x28: ffff3600c03e4000 x27: 000000000000... • https://git.kernel.org/stable/c/1fa37b00dc55a061a3eb82e378849862b4aeca9d •
CVSS: 5.5EPSS: %CPEs: 9EXPL: 0CVE-2022-49495 – drm/msm/hdmi: check return value after calling platform_get_resource_byname()
https://notcve.org/view.php?id=CVE-2022-49495
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/msm/hdmi: check return value after calling platform_get_resource_byname() It will cause null-ptr-deref if platform_get_resource_byname() returns NULL, we need check the return value. Patchwork: https://patchwork.freedesktop.org/patch/482992/ In the Linux kernel, the following vulnerability has been resolved: drm/msm/hdmi: check return value after calling platform_get_resource_byname() It will cause null-ptr-deref if platform_get_resourc... • https://git.kernel.org/stable/c/c6a57a50ad562a2e6fc6ac3218b710caea73a58b •
CVSS: 7.1EPSS: %CPEs: 9EXPL: 0CVE-2022-49493 – ASoC: rt5645: Fix errorenous cleanup order
https://notcve.org/view.php?id=CVE-2022-49493
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: rt5645: Fix errorenous cleanup order There is a logic error when removing rt5645 device as the function rt5645_i2c_remove() first cancel the &rt5645->jack_detect_work and delete the &rt5645->btn_check_timer latter. However, since the timer handler rt5645_btn_check_callback() will re-queue the jack_detect_work, this cleanup order is buggy. That is, once the del_timer_sync in rt5645_i2c_remove is concurrently run with the rt5645_btn_che... • https://git.kernel.org/stable/c/7d801e807536a9a9c2146c5f4a5836f154517ed3 •
CVSS: 5.5EPSS: %CPEs: 9EXPL: 0CVE-2022-49492 – nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags
https://notcve.org/view.php?id=CVE-2022-49492
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags In nvme_alloc_admin_tags, the admin_q can be set to an error (typically -ENOMEM) if the blk_mq_init_queue call fails to set up the queue, which is checked immediately after the call. However, when we return the error message up the stack, to nvme_reset_work the error takes us to nvme_remove_dead_ctrl() nvme_dev_disable() nvme_suspend_queue(&dev->queues[0]). Here, we only chec... • https://git.kernel.org/stable/c/8321b17789f614414206af07e17ce4751c95dc76 •