CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48915 – thermal: core: Fix TZ_GET_TRIP NULL pointer dereference
https://notcve.org/view.php?id=CVE-2022-48915
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix TZ_GET_TRIP NULL pointer dereference Do not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() if the thermal zone does not define one. In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix TZ_GET_TRIP NULL pointer dereference Do not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() if the thermal zone does not define one. • https://git.kernel.org/stable/c/1ce50e7d408ef2bdc8ca021363fd46d1b8bfad00 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48914 – xen/netfront: destroy queues before real_num_tx_queues is zeroed
https://notcve.org/view.php?id=CVE-2022-48914
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: xen/netfront: destroy queues before real_num_tx_queues is zeroed xennet_destroy_queues() relies on info->netdev->real_num_tx_queues to delete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5 ("net-sysfs: update the queue counts in the unregistration path"), unregister_netdev() indirectly sets real_num_tx_queues to 0. Those two facts together means, that xennet_destroy_queues() called from xennet_remove() cannot do its job, because it'... • https://git.kernel.org/stable/c/35cad2003b6447932cfe91f795090586306738e8 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48913 – blktrace: fix use after free for struct blk_trace
https://notcve.org/view.php?id=CVE-2022-48913
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: blktrace: fix use after free for struct blk_trace When tracing the whole disk, 'dropped' and 'msg' will be created under 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free() won't remove those files. What's worse, the following UAF can be triggered because of accessing stale 'dropped' and 'msg': ================================================================== BUG: KASAN: use-after-free in blk_dropped_read+0x89/0x100 Read of size ... • https://git.kernel.org/stable/c/c0ea57608b691d6cde8aff23e11f9858a86b5918 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48912 – netfilter: fix use-after-free in __nf_register_net_hook()
https://notcve.org/view.php?id=CVE-2022-48912
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: fix use-after-free in __nf_register_net_hook() We must not dereference @new_hooks after nf_hook_mutex has been released, because other threads might have freed our allocated hooks already. BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:130 [inline] BUG: KASAN: use-after-free in hooks_validate net/netfilter/core.c:171 [inline] BUG: KASAN: use-after-free in __nf_register_net_hook+0x77a/0x820 ne... • https://git.kernel.org/stable/c/2420b79f8c18a75ee2417cace381f4604b9b4365 • CWE-416: Use After Free •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48911 – netfilter: nf_queue: fix possible use-after-free
https://notcve.org/view.php?id=CVE-2022-48911
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: fix possible use-after-free Eric Dumazet says: The sock_hold() side seems suspect, because there is no guarantee that sk_refcnt is not already 0. On failure, we cannot queue the packet and need to indicate an error. The packet will be dropped by the caller. v2: split skb prefetch hunk into separate change In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: fix possible use-after-free... • https://git.kernel.org/stable/c/271b72c7fa82c2c7a795bc16896149933110672d •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48910 – net: ipv6: ensure we call ipv6_mc_down() at most once
https://notcve.org/view.php?id=CVE-2022-48910
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ensure we call ipv6_mc_down() at most once There are two reasons for addrconf_notify() to be called with NETDEV_DOWN: either the network device is actually going down, or IPv6 was disabled on the interface. If either of them stays down while the other is toggled, we repeatedly call the code for NETDEV_DOWN, including ipv6_mc_down(), while never calling the corresponding ipv6_mc_up() in between. This will cause a new entry in idev... • https://git.kernel.org/stable/c/3ce62a84d53cd3d3cc5377bbf339e9b08ddf9c36 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48909 – net/smc: fix connection leak
https://notcve.org/view.php?id=CVE-2022-48909
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: net/smc: fix connection leak There's a potential leak issue under following execution sequence : smc_release smc_connect_work if (sk->sk_state == SMC_INIT) send_clc_confirim tcp_abort(); ... sk.sk_state = SMC_ACTIVE smc_close_active switch(sk->sk_state) { ... case SMC_ACTIVE: smc_close_final() // then wait peer closed Unfortunately, tcp_abort() may discard CLC CONFIRM messages that are still in the tcp send buffer, in which case our connect... • https://git.kernel.org/stable/c/39f41f367b08650e9aa314e3a13fb6dda1e9eec7 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48908 – net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe()
https://notcve.org/view.php?id=CVE-2022-48908
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe() During driver initialization, the pointer of card info, i.e. the variable 'ci' is required. However, the definition of 'com20020pci_id_table' reveals that this field is empty for some devices, which will cause null pointer dereference when initializing these devices. The following log reveals it: [ 3.973806] KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f... • https://git.kernel.org/stable/c/8c14f9c70327a6fb75534c4c61d7ea9c82ccf78f •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48907 – auxdisplay: lcd2s: Fix memory leak in ->remove()
https://notcve.org/view.php?id=CVE-2022-48907
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: auxdisplay: lcd2s: Fix memory leak in ->remove() Once allocated the struct lcd2s_data is never freed. Fix the memory leak by switching to devm_kzalloc(). In the Linux kernel, the following vulnerability has been resolved: auxdisplay: lcd2s: Fix memory leak in ->remove() Once allocated the struct lcd2s_data is never freed. Fix the memory leak by switching to devm_kzalloc(). • https://git.kernel.org/stable/c/8c9108d014c5bd0f0da2e3544eb45dc56a6da92b •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48906 – mptcp: Correctly set DATA_FIN timeout when number of retransmits is large
https://notcve.org/view.php?id=CVE-2022-48906
22 Aug 2024 — In the Linux kernel, the following vulnerability has been resolved: mptcp: Correctly set DATA_FIN timeout when number of retransmits is large Syzkaller with UBSAN uncovered a scenario where a large number of DATA_FIN retransmits caused a shift-out-of-bounds in the DATA_FIN timeout calculation: ================================================================================ UBSAN: shift-out-of-bounds in net/mptcp/protocol.c:470:29 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 1 PID: 1305... • https://git.kernel.org/stable/c/6477dd39e62c3a67cfa368ddc127410b4ae424c6 •