CVSS: 7.1EPSS: %CPEs: 7EXPL: 0CVE-2022-50250 – regulator: core: fix use_count leakage when handling boot-on
https://notcve.org/view.php?id=CVE-2022-50250
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix use_count leakage when handling boot-on I found a use_count leakage towards supply regulator of rdev with boot-on option. ┌───────────────────┐ ┌───────────────────┐ │ regulator_dev A │ │ regulator_dev B │ │ (boot-on) │ │ (boot-on) │ │ use_count=0 │◀──supply──│ use_count=1 │ │ │ │ │ └───────────────────┘ └───────────────────┘ In case of rdev(A) configured with `regulator-boot-on', the use_count of supplying regulator(B)... • https://git.kernel.org/stable/c/dc3391d49479bc2bf8a2b88dbf86fdd800882fee •
CVSS: 5.5EPSS: %CPEs: 9EXPL: 0CVE-2022-50249 – memory: of: Fix refcount leak bug in of_get_ddr_timings()
https://notcve.org/view.php?id=CVE-2022-50249
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: memory: of: Fix refcount leak bug in of_get_ddr_timings() We should add the of_node_put() when breaking out of for_each_child_of_node() as it will automatically increase and decrease the refcount. In the Linux kernel, the following vulnerability has been resolved: memory: of: Fix refcount leak bug in of_get_ddr_timings() We should add the of_node_put() when breaking out of for_each_child_of_node() as it will automatically increase and decre... • https://git.kernel.org/stable/c/e6b42eb6a66c188642aeb447312938c6f6ebee86 •
CVSS: 7.1EPSS: %CPEs: 6EXPL: 0CVE-2022-50248 – wifi: iwlwifi: mvm: fix double free on tx path.
https://notcve.org/view.php?id=CVE-2022-50248
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix double free on tx path. We see kernel crashes and lockups and KASAN errors related to ax210 firmware crashes. One of the KASAN dumps pointed at the tx path, and it appears there is indeed a way to double-free an skb. If iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the method will be freed. But, in case where we build TSO skb buffer, the skb may also be freed in error case. • https://git.kernel.org/stable/c/08f7d8b69aaf137db8ee0a2d7c9e6cd6383ae250 •
CVSS: 7.7EPSS: %CPEs: 6EXPL: 0CVE-2022-50246 – usb: typec: tcpci: fix of node refcount leak in tcpci_register_port()
https://notcve.org/view.php?id=CVE-2022-50246
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpci: fix of node refcount leak in tcpci_register_port() I got the following report while doing device(mt6370-tcpc) load test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@34/tcpc/connector The 'fwnode' set in tcpci_parse_config() which is called in tcpci_register_port(), ... • https://git.kernel.org/stable/c/5e85a04c8c0d271d7561a770b85741f186398868 •
CVSS: 7.1EPSS: %CPEs: 9EXPL: 0CVE-2022-50245 – rapidio: fix possible UAF when kfifo_alloc() fails
https://notcve.org/view.php?id=CVE-2022-50245
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: rapidio: fix possible UAF when kfifo_alloc() fails If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free priv. But priv is still in the chdev->file_list, then list traversal may cause UAF. This fixes the following smatch warning: drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list In the Linux kernel, the following vulnerability has been resolved: rapidio: fix possible... • https://git.kernel.org/stable/c/e8de370188d098bb49483c287b44925957c3c9b6 •
CVSS: 5.5EPSS: %CPEs: 9EXPL: 0CVE-2022-50244 – cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
https://notcve.org/view.php?id=CVE-2022-50244
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() If device_register() fails in cxl_pci_afu|adapter(), the device is not added, device_unregister() can not be called in the error path, otherwise it will cause a null-ptr-deref because of removing not added device. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So split device_unregister() into device_del() and put_dev... • https://git.kernel.org/stable/c/f204e0b8cedd7da1dfcfd05ed6b7692737e24029 •
CVSS: 5.5EPSS: %CPEs: 8EXPL: 0CVE-2022-50243 – sctp: handle the error returned from sctp_auth_asoc_init_active_key
https://notcve.org/view.php?id=CVE-2022-50243
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: handle the error returned from sctp_auth_asoc_init_active_key When it returns an error from sctp_auth_asoc_init_active_key(), the active_key is actually not updated. The old sh_key will be freeed while it's still used as active key in asoc. Then an use-after-free will be triggered when sending patckets, as found by syzbot: sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 sctp_set_owner_w net/sctp/socket.c:132 [inline] sctp_sendmsg_t... • https://git.kernel.org/stable/c/50b57223da67653c61e405d0a7592355cfe4585e •
CVSS: 5.5EPSS: %CPEs: 9EXPL: 0CVE-2022-50242 – drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
https://notcve.org/view.php?id=CVE-2022-50242
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp needs to be freed. In the Linux kernel, the following vulnerability has been resolved: drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp needs to be freed. • https://git.kernel.org/stable/c/f197a7aa62888f27c9a7976b18eb4f040f6606ce •
CVSS: 7.8EPSS: %CPEs: 5EXPL: 0CVE-2022-50241 – NFSD: fix use-after-free on source server when doing inter-server copy
https://notcve.org/view.php?id=CVE-2022-50241
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: NFSD: fix use-after-free on source server when doing inter-server copy Use-after-free occurred when the laundromat tried to free expired cpntf_state entry on the s2s_cp_stateids list after inter-server copy completed. The sc_cp_list that the expired copy state was inserted on was already freed. When COPY completes, the Linux client normally sends LOCKU(lock_state x), FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server. T... • https://git.kernel.org/stable/c/bbacfcde5fff25ac22597e8373a065c647da6738 •
CVSS: 6.3EPSS: %CPEs: 1EXPL: 0CVE-2022-50240 – binder: fix UAF of alloc->vma in race with munmap()
https://notcve.org/view.php?id=CVE-2022-50240
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() In commit 720c24192404 ("ANDROID: binder: change down_write to down_read") binder assumed the mmap read lock is sufficient to protect alloc->vma inside binder_update_page_range(). This used to be accurate until commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"), which now downgrades the mmap_lock after detaching the vma from the rbtree in munmap(). Then it proceeds to... • https://git.kernel.org/stable/c/dd2283f2605e3b3e9c61bcae844b34f2afa4813f •