CVSS: 7.3EPSS: %CPEs: 8EXPL: 0CVE-2022-50258 – wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()
https://notcve.org/view.php?id=CVE-2022-50258
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() This patch fixes a stack-out-of-bounds read in brcmfmac that occurs when 'buf' that is not null-terminated is passed as an argument of strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware version string by memcpy() in brcmf_fil_iovar_data_get(). The patch ensures buf is null-terminated. Found by a modified version of syzkaller. [ 47.569679][ T... • https://git.kernel.org/stable/c/89243a7b0ea19606ba1c2873c9d569026ccb344f •
CVSS: 7.1EPSS: %CPEs: 10EXPL: 0CVE-2022-50257 – xen/gntdev: Prevent leaking grants
https://notcve.org/view.php?id=CVE-2022-50257
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: xen/gntdev: Prevent leaking grants Prior to this commit, if a grant mapping operation failed partially, some of the entries in the map_ops array would be invalid, whereas all of the entries in the kmap_ops array would be valid. This in turn would cause the following logic in gntdev_map_grant_pages to become invalid: for (i = 0; i < map->count; i++) { if (map->map_ops[i].status == GNTST_okay) { map->unmap_ops[i].handle = map->map_ops[i].hand... • https://git.kernel.org/stable/c/36cd49b071fceca70326d9db786aa15e9fffd677 •
CVSS: 7.8EPSS: %CPEs: 3EXPL: 0CVE-2022-50256 – drm/meson: remove drm bridges at aggregate driver unbind time
https://notcve.org/view.php?id=CVE-2022-50256
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/meson: remove drm bridges at aggregate driver unbind time drm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init were not manually removed at module unload time, which caused dangling references to freed memory to remain linked in the global bridge_list. When loading the driver modules back in, the same functions would again call drm_bridge_add, and when traversing the global bridge_list, would end up peeking into free... • https://git.kernel.org/stable/c/bbbe775ec5b5dace43a35886da9924837da09ddd •
CVSS: 7.1EPSS: %CPEs: 8EXPL: 0CVE-2022-50253 – bpf: make sure skb->len != 0 when redirecting to a tunneling device
https://notcve.org/view.php?id=CVE-2022-50253
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: make sure skb->len != 0 when redirecting to a tunneling device syzkaller managed to trigger another case where skb->len == 0 when we enter __dev_queue_xmit: WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline] WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295 Call Trace: dev_queue_xmit+0x17/0x20 net/core/dev.c:4406 __bpf_tx... • https://git.kernel.org/stable/c/ffbccc5fb0a67424e12f7f8da210c04c8063f797 •
CVSS: 7.8EPSS: %CPEs: 9EXPL: 0CVE-2022-50252 – igb: Do not free q_vector unless new one was allocated
https://notcve.org/view.php?id=CVE-2022-50252
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: igb: Do not free q_vector unless new one was allocated Avoid potential use-after-free condition under memory pressure. If the kzalloc() fails, q_vector will be freed but left in the original adapter->q_vector[v_idx] array position. In the Linux kernel, the following vulnerability has been resolved: igb: Do not free q_vector unless new one was allocated Avoid potential use-after-free condition under memory pressure. If the kzalloc() fails, q... • https://git.kernel.org/stable/c/64ca1969599857143e91aeec4440640656100803 •
CVSS: 5.5EPSS: %CPEs: 9EXPL: 0CVE-2022-50251 – mmc: vub300: fix return value check of mmc_add_host()
https://notcve.org/view.php?id=CVE-2022-50251
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, the timer added before mmc_add_host() needs be del. And this patch fixes ... • https://git.kernel.org/stable/c/88095e7b473a3d9ec3b9c60429576e9cbd327c89 •
CVSS: 7.1EPSS: %CPEs: 7EXPL: 0CVE-2022-50250 – regulator: core: fix use_count leakage when handling boot-on
https://notcve.org/view.php?id=CVE-2022-50250
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix use_count leakage when handling boot-on I found a use_count leakage towards supply regulator of rdev with boot-on option. ┌───────────────────┐ ┌───────────────────┐ │ regulator_dev A │ │ regulator_dev B │ │ (boot-on) │ │ (boot-on) │ │ use_count=0 │◀──supply──│ use_count=1 │ │ │ │ │ └───────────────────┘ └───────────────────┘ In case of rdev(A) configured with `regulator-boot-on', the use_count of supplying regulator(B)... • https://git.kernel.org/stable/c/dc3391d49479bc2bf8a2b88dbf86fdd800882fee •
CVSS: 5.5EPSS: %CPEs: 9EXPL: 0CVE-2022-50249 – memory: of: Fix refcount leak bug in of_get_ddr_timings()
https://notcve.org/view.php?id=CVE-2022-50249
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: memory: of: Fix refcount leak bug in of_get_ddr_timings() We should add the of_node_put() when breaking out of for_each_child_of_node() as it will automatically increase and decrease the refcount. In the Linux kernel, the following vulnerability has been resolved: memory: of: Fix refcount leak bug in of_get_ddr_timings() We should add the of_node_put() when breaking out of for_each_child_of_node() as it will automatically increase and decre... • https://git.kernel.org/stable/c/e6b42eb6a66c188642aeb447312938c6f6ebee86 •
CVSS: 7.1EPSS: %CPEs: 6EXPL: 0CVE-2022-50248 – wifi: iwlwifi: mvm: fix double free on tx path.
https://notcve.org/view.php?id=CVE-2022-50248
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix double free on tx path. We see kernel crashes and lockups and KASAN errors related to ax210 firmware crashes. One of the KASAN dumps pointed at the tx path, and it appears there is indeed a way to double-free an skb. If iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the method will be freed. But, in case where we build TSO skb buffer, the skb may also be freed in error case. • https://git.kernel.org/stable/c/08f7d8b69aaf137db8ee0a2d7c9e6cd6383ae250 •
CVSS: 7.7EPSS: %CPEs: 6EXPL: 0CVE-2022-50246 – usb: typec: tcpci: fix of node refcount leak in tcpci_register_port()
https://notcve.org/view.php?id=CVE-2022-50246
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpci: fix of node refcount leak in tcpci_register_port() I got the following report while doing device(mt6370-tcpc) load test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@34/tcpc/connector The 'fwnode' set in tcpci_parse_config() which is called in tcpci_register_port(), ... • https://git.kernel.org/stable/c/5e85a04c8c0d271d7561a770b85741f186398868 •