CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48834 – usb: usbtmc: Fix bug in pipe direction for control transfers
https://notcve.org/view.php?id=CVE-2022-48834
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: usb: usbtmc: Fix bug in pipe direction for control transfers The syzbot fuzzer reported a minor bug in the usbtmc driver: usb 5-1: BOGUS control dir, pipe 80001e80 doesn't match bRequestType 0 WARNING: CPU: 0 PID: 3813 at drivers/usb/core/urb.c:412 usb_submit_urb+0x13a5/0x1970 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 3813 Comm: syz-executor122 Not tainted 5.17.0-rc5-syzkaller-00306-g2293be58d6a1 #0 ... Call Trace:
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48833 – btrfs: skip reserved bytes warning on unmount after log cleanup failure
https://notcve.org/view.php?id=CVE-2022-48833
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: btrfs: skip reserved bytes warning on unmount after log cleanup failure After the recent changes made by commit c2e39305299f01 ("btrfs: clear extent buffer uptodate when we fail to write it") and its followup fix, commit 651740a5024117 ("btrfs: check WRITE_ERR when trying to read an extent buffer"), we can now end up not cleaning up space reservations of log tree extent buffers after a transaction abort happens, as well as not cleaning up s... • https://git.kernel.org/stable/c/4c5d94990fa2fd609360ecd0f7e183212a7d115c •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48829 – NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes
https://notcve.org/view.php?id=CVE-2022-48829
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes iattr::ia_size is a loff_t, so these NFSv3 procedures must be careful to deal with incoming client size values that are larger than s64_max without corrupting the value. Silently capping the value results in storing a different value than the client passed in which is unexpected behavior, so remove the min_t() check in decode_sattr3(). Note that RFC 1813 permits only the WRITE pr... • https://git.kernel.org/stable/c/72c14aed6838b5d90b4dd926b6a339b34bb02e08 • CWE-253: Incorrect Check of Function Return Value •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48828 – NFSD: Fix ia_size underflow
https://notcve.org/view.php?id=CVE-2022-48828
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix ia_size underflow iattr::ia_size is a loff_t, which is a signed 64-bit type. NFSv3 and NFSv4 both define file size as an unsigned 64-bit type. Thus there is a range of valid file size values an NFS client can send that is already larger than Linux can handle. Currently decode_fattr4() dumps a full u64 value into ia_size. If that value happens to be larger than S64_MAX, then ia_size underflows. • https://git.kernel.org/stable/c/d2211e6e34d0755f35e2f8c22d81999fa81cfc71 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48827 – NFSD: Fix the behavior of READ near OFFSET_MAX
https://notcve.org/view.php?id=CVE-2022-48827
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix the behavior of READ near OFFSET_MAX Dan Aloni reports: > Due to commit 8cfb9015280d ("NFS: Always provide aligned buffers to > the RPC read layers") on the client, a read of 0xfff is aligned up > to server rsize of 0x1000. > > As a result, in a test where the server has a file of size > 0x7fffffffffffffff, and the client tries to read from the offset > 0x7ffffffffffff000, the read causes loff_t overflow in the server > and it ret... • https://git.kernel.org/stable/c/1726a39b0879acfb490b22dca643f26f4f907da9 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48826 – drm/vc4: Fix deadlock on DSI device attach error
https://notcve.org/view.php?id=CVE-2022-48826
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/vc4: Fix deadlock on DSI device attach error DSI device attach to DSI host will be done with host device's lock held. Un-registering host in "device attach" error path (ex: probe retry) will result in deadlock with below call trace and non operational DSI display. Startup Call trace: [ 35.043036] rt_mutex_slowlock.constprop.21+0x184/0x1b8 [ 35.043048] mutex_lock_nested+0x7c/0xc8 [ 35.043060] device_del+0x4c/0x3e8 [ 35.043075] device_unr... • https://git.kernel.org/stable/c/770d1ba9a8201ce9bee0946eb03746449b6f3b80 •
CVSS: 8.6EPSS: 0%CPEs: 8EXPL: 2CVE-2022-48805 – net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
https://notcve.org/view.php?id=CVE-2022-48805
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup ax88179_rx_fixup() contains several out-of-bounds accesses that can be triggered by a malicious (or defective) USB device, in particular: - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips. - A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used by ... • https://packetstorm.news/files/id/188959 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48804 – vt_ioctl: fix array_index_nospec in vt_setactivate
https://notcve.org/view.php?id=CVE-2022-48804
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: vt_ioctl: fix array_index_nospec in vt_setactivate array_index_nospec ensures that an out-of-bounds value is set to zero on the transient path. Decreasing the value by one afterwards causes a transient integer underflow. vsa.console should be decreased first and then sanitized with array_index_nospec. Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU Amster... • https://git.kernel.org/stable/c/830c5aa302ec16b4ee641aec769462c37f802c90 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48795 – parisc: Fix data TLB miss in sba_unmap_sg
https://notcve.org/view.php?id=CVE-2022-48795
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: parisc: Fix data TLB miss in sba_unmap_sg Rolf Eike Beer reported the following bug: [1274934.746891] Bad Address (null pointer deref?): Code=15 (Data TLB miss fault) at addr 0000004140000018 [1274934.746891] CPU: 3 PID: 5549 Comm: cmake Not tainted 5.15.4-gentoo-parisc64 #4 [1274934.746891] Hardware name: 9000/785/C8000 [1274934.746891] [1274934.746891] YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI [1274934.746891] PSW: 00001000000001001111111000001110... • https://git.kernel.org/stable/c/f23f0444ead4d941165aa82ce2fcbb997dc00e97 •
CVSS: 3.3EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48794 – net: ieee802154: at86rf230: Stop leaking skb's
https://notcve.org/view.php?id=CVE-2022-48794
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: at86rf230: Stop leaking skb's Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. In the Tx case we then leak the skb structure. Free the skb structure upon error before returning when appropriate. As the 'is_tx = 0' cannot be moved in the complete handler because of a possible race between the delay in switching to STATE_RX_AACK_ON and a new interrupt, we introdu... • https://git.kernel.org/stable/c/d2a1eaf51b7d4412319adb6acef114ba472d1692 •