CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50244 – cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
https://notcve.org/view.php?id=CVE-2022-50244
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() If device_register() fails in cxl_pci_afu|adapter(), the device is not added, device_unregister() can not be called in the error path, otherwise it will cause a null-ptr-deref because of removing not added device. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So split device_unregister() into device_del() and put_dev... • https://git.kernel.org/stable/c/f204e0b8cedd7da1dfcfd05ed6b7692737e24029 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50243 – sctp: handle the error returned from sctp_auth_asoc_init_active_key
https://notcve.org/view.php?id=CVE-2022-50243
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: sctp: handle the error returned from sctp_auth_asoc_init_active_key When it returns an error from sctp_auth_asoc_init_active_key(), the active_key is actually not updated. The old sh_key will be freeed while it's still used as active key in asoc. Then an use-after-free will be triggered when sending patckets, as found by syzbot: sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112 sctp_set_owner_w net/sctp/socket.c:132 [inline] sctp_sendmsg_t... • https://git.kernel.org/stable/c/50b57223da67653c61e405d0a7592355cfe4585e • CWE-324: Use of a Key Past its Expiration Date •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50242 – drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
https://notcve.org/view.php?id=CVE-2022-50242
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp needs to be freed. In the Linux kernel, the following vulnerability has been resolved: drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp needs to be freed. This update provides the initial livepatch for this ke... • https://git.kernel.org/stable/c/f197a7aa62888f27c9a7976b18eb4f040f6606ce •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50241 – NFSD: fix use-after-free on source server when doing inter-server copy
https://notcve.org/view.php?id=CVE-2022-50241
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: NFSD: fix use-after-free on source server when doing inter-server copy Use-after-free occurred when the laundromat tried to free expired cpntf_state entry on the s2s_cp_stateids list after inter-server copy completed. The sc_cp_list that the expired copy state was inserted on was already freed. When COPY completes, the Linux client normally sends LOCKU(lock_state x), FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server. T... • https://git.kernel.org/stable/c/624322f1adc58acd0b69f77a6ddc764207e97241 • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50240 – android: binder: stop saving a pointer to the VMA
https://notcve.org/view.php?id=CVE-2022-50240
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() In commit 720c24192404 ("ANDROID: binder: change down_write to down_read") binder assumed the mmap read lock is sufficient to protect alloc->vma inside binder_update_page_range(). This used to be accurate until commit dd2283f2605e ("mm: mmap: zap pages with read mmap_sem in munmap"), which now downgrades the mmap_lock after detaching the vma from the rbtree in munmap(). Then it proceeds to... • https://git.kernel.org/stable/c/dd2283f2605e3b3e9c61bcae844b34f2afa4813f •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50239 – cpufreq: qcom: fix writes in read-only memory region
https://notcve.org/view.php?id=CVE-2022-50239
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom: fix writes in read-only memory region This commit fixes a kernel oops because of a write in some read-only memory: [ 9.068287] Unable to handle kernel write to read-only memory at virtual address ffff800009240ad8 ..snip.. [ 9.138790] Internal error: Oops: 9600004f [#1] PREEMPT SMP ..snip.. [ 9.269161] Call trace: [ 9.276271] __memcpy+0x5c/0x230 [ 9.278531] snprintf+0x58/0x80 [ 9.282002] qcom_cpufreq_msm8939_name_version+0xb4/... • https://git.kernel.org/stable/c/a8811ec764f95a04ba82f6f457e28c5e9e36e36b • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50236 – iommu/mediatek: Fix crash on isr after kexec()
https://notcve.org/view.php?id=CVE-2022-50236
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: iommu/mediatek: Fix crash on isr after kexec() If the system is rebooted via isr(), the IRQ handler might be triggered before the domain is initialized. Resulting on an invalid memory access error. Fix: [ 0.500930] Unable to handle kernel read from unreadable memory at virtual address 0000000000000070 [ 0.501166] Call trace: [ 0.501174] report_iommu_fault+0x28/0xfc [ 0.501180] mtk_iommu_isr+0x10c/0x1c0 [ joro: Fixed spelling in commit messa... • https://git.kernel.org/stable/c/0df4fabe208d9576f2671d31e77cf46d20fdcd01 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50234 – io_uring/af_unix: defer registered files gc to io_uring release
https://notcve.org/view.php?id=CVE-2022-50234
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring/af_unix: defer registered files gc to io_uring release Instead of putting io_uring's registered files in unix_gc() we want it to be done by io_uring itself. The trick here is to consider io_uring registered files for cycle detection but not actually putting them down. Because io_uring can't register other ring instances, this will remove all refs to the ring file triggering the ->release path and clean up with io_ring_ctx_free(). [... • https://git.kernel.org/stable/c/6b06314c47e141031be043539900d80d2c7ba10f •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39801 – usb: dwc3: Remove WARN_ON for device endpoint command timeouts
https://notcve.org/view.php?id=CVE-2025-39801
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for device endpoint command timeouts This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic_on_warn' is enabled and unnecessary call trace prints when 'panic_on_warn' is disabled. It is seen during fast software-controlled connect/disconnect testcases. The following is one such endpoint command timeout that we observed: 1. Connect ======= ->dwc3_thread_int... • https://git.kernel.org/stable/c/72246da40f3719af3bfd104a2365b32537c27d83 •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2025-39800 – btrfs: abort transaction on unexpected eb generation at btrfs_copy_root()
https://notcve.org/view.php?id=CVE-2025-39800
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: abort transaction on unexpected eb generation at btrfs_copy_root() If we find an unexpected generation for the extent buffer we are cloning at btrfs_copy_root(), we just WARN_ON() and don't error out and abort the transaction, meaning we allow to persist metadata with an unexpected generation. Instead of warning only, abort the transaction and return -EUCLEAN. In the Linux kernel, the following vulnerability has been resolved: btrfs:... • https://git.kernel.org/stable/c/be20aa9dbadc8c06283784ee12bbc0d97dea3418 •