CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-52974 – scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress
https://notcve.org/view.php?id=CVE-2023-52974
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: iscsi_tcp: Fix UAF during login when accessing the shost ipaddress If during iscsi_sw_tcp_session_create() iscsi_tcp_r2tpool_alloc() fails, userspace could be accessing the host's ipaddress attr. If we then free the session via iscsi_session_teardown() while userspace is still accessing the session we will hit a use after free bug. Set the tcp_sw_host->session after we have completed session creation and can no longer fail. In the Lin... • https://git.kernel.org/stable/c/496af9d3682ed4c28fb734342a09e6cc0c056ea4 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-52973 – vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF
https://notcve.org/view.php?id=CVE-2023-52973
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: vc_screen: move load of struct vc_data pointer in vcs_read() to avoid UAF After a call to console_unlock() in vcs_read() the vc_data struct can be freed by vc_deallocate(). Because of that, the struct vc_data pointer load must be done at the top of while loop in vcs_read() to avoid a UAF when vcs_size() is called. Syzkaller reported a UAF in vcs_size(). BUG: KASAN: use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215) Read of size 4 a... • https://git.kernel.org/stable/c/ac751efa6a0d70f2c9daef5c7e3a92270f5c2dff • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49761 – btrfs: always report error in run_one_delayed_ref()
https://notcve.org/view.php?id=CVE-2022-49761
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: always report error in run_one_delayed_ref() Currently we have a btrfs_debug() for run_one_delayed_ref() failure, but if end users hit such problem, there will be no chance that btrfs_debug() is enabled. This can lead to very little useful info for debugging. This patch will: - Add extra info for error reporting Including: * logical bytenr * num_bytes * type * action * ref_mod - Replace the btrfs_debug() with btrfs_err() - Move the e... • https://git.kernel.org/stable/c/18bd1c9c02e64a3567f90c83c2c8b855531c8098 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49760 – mm/hugetlb: fix PTE marker handling in hugetlb_change_protection()
https://notcve.org/view.php?id=CVE-2022-49760
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix PTE marker handling in hugetlb_change_protection() Patch series "mm/hugetlb: uffd-wp fixes for hugetlb_change_protection()". Playing with virtio-mem and background snapshots (using uffd-wp) on hugetlb in QEMU, I managed to trigger a VM_BUG_ON(). Looking into the details, hugetlb_change_protection() seems to not handle uffd-wp correctly in all cases. Patch #1 fixes my test case. I don't have reproducers for patch #2, as it re... • https://git.kernel.org/stable/c/60dfaad65aa97fb6755b9798a6b3c9e79bcd5930 •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49759 – VMCI: Use threaded irqs instead of tasklets
https://notcve.org/view.php?id=CVE-2022-49759
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: VMCI: Use threaded irqs instead of tasklets The vmci_dispatch_dgs() tasklet function calls vmci_read_data() which uses wait_event() resulting in invalid sleep in an atomic context (and therefore potentially in a deadlock). Use threaded irqs to fix this issue and completely remove usage of tasklets. [ 20.264639] BUG: sleeping function called from invalid context at drivers/misc/vmw_vmci/vmci_guest.c:145 [ 20.264643] in_atomic(): 1, irqs_disa... • https://git.kernel.org/stable/c/463713eb6164b6577f8e91447c7745628215531b •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49758 – reset: uniphier-glue: Fix possible null-ptr-deref
https://notcve.org/view.php?id=CVE-2022-49758
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: reset: uniphier-glue: Fix possible null-ptr-deref It will cause null-ptr-deref when resource_size(res) invoked, if platform_get_resource() returns NULL. In the Linux kernel, the following vulnerability has been resolved: reset: uniphier-glue: Fix possible null-ptr-deref It will cause null-ptr-deref when resource_size(res) invoked, if platform_get_resource() returns NULL. • https://git.kernel.org/stable/c/499fef09a3237497906084da3eede0185fc9abb8 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-49757 – EDAC/highbank: Fix memory leak in highbank_mc_probe()
https://notcve.org/view.php?id=CVE-2022-49757
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: EDAC/highbank: Fix memory leak in highbank_mc_probe() When devres_open_group() fails, it returns -ENOMEM without freeing memory allocated by edac_mc_alloc(). Call edac_mc_free() on the error handling path to avoid a memory leak. [ bp: Massage commit message. ] In the Linux kernel, the following vulnerability has been resolved: EDAC/highbank: Fix memory leak in highbank_mc_probe() When devres_open_group() fails, it returns -ENOMEM without fr... • https://git.kernel.org/stable/c/a1b01edb274518c7da6d69b84e7558c092282aad •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49756 – phy: usb: sunplus: Fix potential null-ptr-deref in sp_usb_phy_probe()
https://notcve.org/view.php?id=CVE-2022-49756
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: phy: usb: sunplus: Fix potential null-ptr-deref in sp_usb_phy_probe() sp_usb_phy_probe() will call platform_get_resource_byname() that may fail and return NULL. devm_ioremap() will use usbphy->moon4_res_mem->start as input, which may causes null-ptr-deref. Check the ret value of platform_get_resource_byname() to avoid the null-ptr-deref. In the Linux kernel, the following vulnerability has been resolved: phy: usb: sunplus: Fix potential nul... • https://git.kernel.org/stable/c/99d9ccd97385208b78b3d88e756451f4b70119fc •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-49755 – usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait
https://notcve.org/view.php?id=CVE-2022-49755
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait While performing fast composition switch, there is a possibility that the process of ffs_ep0_write/ffs_ep0_read get into a race condition due to ep0req being freed up from functionfs_unbind. Consider the scenario that the ffs_ep0_write calls the ffs_ep0_queue_wait by taking a lock &ffs->ev.waitq.lock. However, the functionfs_unbind isn't bounded so it can go ahead and mark the ep0req... • https://git.kernel.org/stable/c/ddf8abd2599491cbad959c700b90ba72a5dce8d0 • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49754 – Bluetooth: Fix a buffer overflow in mgmt_mesh_add()
https://notcve.org/view.php?id=CVE-2022-49754
27 Mar 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix a buffer overflow in mgmt_mesh_add() Smatch Warning: net/bluetooth/mgmt_util.c:375 mgmt_mesh_add() error: __memcpy() 'mesh_tx->param' too small (48 vs 50) Analysis: 'mesh_tx->param' is array of size 48. This is the destination. u8 param[sizeof(struct mgmt_cp_mesh_send) + 29]; // 19 + 29 = 48. But in the caller 'mesh_send' we reject only when len > 50. len > (MGMT_MESH_SEND_SIZE + 31) // 19 + 31 = 50. In the Linux kernel, the ... • https://git.kernel.org/stable/c/b338d91703fae6f6afd67f3f75caa3b8f36ddef3 •