CVSS: 8.4EPSS: 0%CPEs: 9EXPL: 0CVE-2023-53226 – wifi: mwifiex: Fix OOB and integer underflow when rx packets
https://notcve.org/view.php?id=CVE-2023-53226
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix OOB and integer underflow when rx packets Make sure mwifiex_process_mgmt_packet, mwifiex_process_sta_rx_packet and mwifiex_process_uap_rx_packet, mwifiex_uap_queue_bridged_pkt and mwifiex_process_rx_packet not out-of-bounds access the skb->data buffer. In the Linux kernel, the following vulnerability has been resolved: wifi: mwifiex: Fix OOB and integer underflow when rx packets Make sure mwifiex_process_mgmt_packet, mwif... • https://git.kernel.org/stable/c/2dbaf751b1dec3a603130a475f94cc4d3f404362 • CWE-125: Out-of-bounds Read CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 5.5EPSS: 0%CPEs: 13EXPL: 0CVE-2023-53225 – spi: imx: Don't skip cleanup in remove's error path
https://notcve.org/view.php?id=CVE-2023-53225
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: spi: imx: Don't skip cleanup in remove's error path Returning early in a platform driver's remove callback is wrong. In this case the dma resources are not released in the error path. this is never retried later and so this is a permanent leak. To fix this, only skip hardware disabling if waking the device fails. In the Linux kernel, the following vulnerability has been resolved: spi: imx: Don't skip cleanup in remove's error path Returning... • https://git.kernel.org/stable/c/d593574aff0ab846136190b1729c151c736727ec • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2023-53224 – ext4: Fix function prototype mismatch for ext4_feat_ktype
https://notcve.org/view.php?id=CVE-2023-53224
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: Fix function prototype mismatch for ext4_feat_ktype With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. ext4_feat_ktype was setting the "releas... • https://git.kernel.org/stable/c/b99fee58a20ab8e0557cce87b6f187e325993142 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-628: Function Call with Incorrectly Specified Arguments •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53223 – drm/msm/dsi: Add missing check for alloc_ordered_workqueue
https://notcve.org/view.php?id=CVE-2023-53223
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/msm/dsi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue as it may return NULL pointer and cause NULL pointer dereference. Patchwork: https://patchwork.freedesktop.org/patch/517646/ In the Linux kernel, the following vulnerability has been resolved: drm/msm/dsi: Add missing check for alloc_ordered_workqueue Add check for the return value of alloc_ordered_workqueue as it may return ... • https://git.kernel.org/stable/c/0cf6c71d70d8aa39b8fd0e39c9009602a0e0d300 • CWE-476: NULL Pointer Dereference •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53222 – jfs: jfs_dmap: Validate db_l2nbperpage while mounting
https://notcve.org/view.php?id=CVE-2023-53222
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: jfs_dmap: Validate db_l2nbperpage while mounting In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block number inside dbFree(). db_l2nbperpage, which is the log2 number of blocks per page, is passed as an argument to BLKTODMAP which uses it for shifting. Syzbot reported a shift out-of-bounds crash because db_l2nbperpage is too big. This happens because the large value is set without any validation in dbMount() at line 181.... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-53221 – bpf: Fix memleak due to fentry attach failure
https://notcve.org/view.php?id=CVE-2023-53221
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix memleak due to fentry attach failure If it fails to attach fentry, the allocated bpf trampoline image will be left in the system. That can be verified by checking /proc/kallsyms. This meamleak can be verified by a simple bpf program as follows: SEC("fentry/trap_init") int fentry_run() { return 0; } It will fail to attach trap_init because this function is freed after kernel init, and then we can find the trampoline image is left in... • https://git.kernel.org/stable/c/e21aa341785c679dd409c8cb71f864c00fe6c463 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53220 – media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
https://notcve.org/view.php?id=CVE-2023-53220
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() In az6007_i2c_xfer, msg is controlled by user. When msg[i].buf is null and msg[i].len is zero, former checks on msg[i].buf would be passed. Malicious data finally reach az6007_i2c_xfer. If accessing msg[i].buf[0] without sanity check, null ptr deref would happen. We add check on msg[i].len to prevent crash. Similar commit: commit 0ed554fd769a ("media: dvb-usb: az6027: fix null-ptr-deref... • https://git.kernel.org/stable/c/caa1a700ed2a06a831e6a7db5d9f213fc63caee3 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53219 – media: netup_unidvb: fix use-after-free at del_timer()
https://notcve.org/view.php?id=CVE-2023-53219
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: netup_unidvb: fix use-after-free at del_timer() When Universal DVB card is detaching, netup_unidvb_dma_fini() uses del_timer() to stop dma->timeout timer. But when timer handler netup_unidvb_dma_timeout() is running, del_timer() could not stop it. As a result, the use-after-free bug could happen. The process is shown below: (cleanup routine) | (timer routine) | mod_timer(&dev->tx_sim_timer, ..) netup_unidvb_finidev() | (wait a time) ... • https://git.kernel.org/stable/c/52b1eaf4c59a3bbd07afbb4ab4f43418a807d02e • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-53218 – rxrpc: Make it so that a waiting process can be aborted
https://notcve.org/view.php?id=CVE-2023-53218
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Make it so that a waiting process can be aborted When sendmsg() creates an rxrpc call, it queues it to wait for a connection and channel to be assigned and then waits before it can start shovelling data as the encrypted DATA packet content includes a summary of the connection parameters. However, sendmsg() may get interrupted before a connection gets assigned and further sendmsg() calls will fail with EBUSY until an assignment is mad... • https://git.kernel.org/stable/c/540b1c48c37ac0ad66212004db21e1ff7e2d78be • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2023-53217 – nubus: Partially revert proc_create_single_data() conversion
https://notcve.org/view.php?id=CVE-2023-53217
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: nubus: Partially revert proc_create_single_data() conversion The conversion to proc_create_single_data() introduced a regression whereby reading a file in /proc/bus/nubus results in a seg fault: # grep -r . /proc/bus/nubus/e/ Data read fault at 0x00000020 in Super Data (pc=0x1074c2) BAD KERNEL BUSERR Oops: 00000000 Modules linked in: PC: [<001074c2>] PDE_DATA+0xc/0x16 SR: 2010 SP: 38284958 a2: 01152370 d0: 00000001 d1: 01013000 d2: 01002790... • https://git.kernel.org/stable/c/3f3942aca6da351a12543aa776467791b63b3a78 •