CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50258 – wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()
https://notcve.org/view.php?id=CVE-2022-50258
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() This patch fixes a stack-out-of-bounds read in brcmfmac that occurs when 'buf' that is not null-terminated is passed as an argument of strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware version string by memcpy() in brcmf_fil_iovar_data_get(). The patch ensures buf is null-terminated. Found by a modified version of syzkaller. [ 47.569679][ T... • https://git.kernel.org/stable/c/0af29bf7c1ddf5f3c35577409de46ede5e8d7845 • CWE-125: Out-of-bounds Read •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50253 – bpf: make sure skb->len != 0 when redirecting to a tunneling device
https://notcve.org/view.php?id=CVE-2022-50253
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: make sure skb->len != 0 when redirecting to a tunneling device syzkaller managed to trigger another case where skb->len == 0 when we enter __dev_queue_xmit: WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline] WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295 Call Trace: dev_queue_xmit+0x17/0x20 net/core/dev.c:4406 __bpf_tx... • https://git.kernel.org/stable/c/4e3264d21b90984c2165e8fe5a7b64cf25bc2c2d •
CVSS: 7.8EPSS: 0%CPEs: 12EXPL: 0CVE-2022-50252 – igb: Do not free q_vector unless new one was allocated
https://notcve.org/view.php?id=CVE-2022-50252
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: igb: Do not free q_vector unless new one was allocated Avoid potential use-after-free condition under memory pressure. If the kzalloc() fails, q_vector will be freed but left in the original adapter->q_vector[v_idx] array position. In the Linux kernel, the following vulnerability has been resolved: igb: Do not free q_vector unless new one was allocated Avoid potential use-after-free condition under memory pressure. If the kzalloc() fails, q... • https://git.kernel.org/stable/c/72ddef0506da852dc82f078f37ced8ef4d74a2bf •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50251 – mmc: vub300: fix return value check of mmc_add_host()
https://notcve.org/view.php?id=CVE-2022-50251
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, the timer added before mmc_add_host() needs be del. And this patch fixes ... • https://git.kernel.org/stable/c/88095e7b473a3d9ec3b9c60429576e9cbd327c89 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-50250 – regulator: core: fix use_count leakage when handling boot-on
https://notcve.org/view.php?id=CVE-2022-50250
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix use_count leakage when handling boot-on I found a use_count leakage towards supply regulator of rdev with boot-on option. ┌───────────────────┐ ┌───────────────────┐ │ regulator_dev A │ │ regulator_dev B │ │ (boot-on) │ │ (boot-on) │ │ use_count=0 │◀──supply──│ use_count=1 │ │ │ │ │ └───────────────────┘ └───────────────────┘ In case of rdev(A) configured with `regulator-boot-on', the use_count of supplying regulator(B)... • https://git.kernel.org/stable/c/dc1b1d7faf616ed663d0bba9be5abb4d1ed35d01 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50248 – wifi: iwlwifi: mvm: fix double free on tx path.
https://notcve.org/view.php?id=CVE-2022-50248
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix double free on tx path. We see kernel crashes and lockups and KASAN errors related to ax210 firmware crashes. One of the KASAN dumps pointed at the tx path, and it appears there is indeed a way to double-free an skb. If iwl_mvm_tx_skb_sta returns non-zero, then the 'skb' sent into the method will be freed. But, in case where we build TSO skb buffer, the skb may also be freed in error case. • https://git.kernel.org/stable/c/08f7d8b69aaf137db8ee0a2d7c9e6cd6383ae250 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50247 – usb: xhci-mtk: fix leakage of shared hcd when fail to set wakeup irq
https://notcve.org/view.php?id=CVE-2022-50247
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: xhci-mtk: fix leakage of shared hcd when fail to set wakeup irq Can not set the @shared_hcd to NULL before decrease the usage count by usb_put_hcd(), this will cause the shared hcd not released. In the Linux kernel, the following vulnerability has been resolved: usb: xhci-mtk: fix leakage of shared hcd when fail to set wakeup irq Can not set the @shared_hcd to NULL before decrease the usage count by usb_put_hcd(), this will cause the s... • https://git.kernel.org/stable/c/04284eb74e0c350be5e75eda178b97063343af13 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50246 – usb: typec: tcpci: fix of node refcount leak in tcpci_register_port()
https://notcve.org/view.php?id=CVE-2022-50246
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpci: fix of node refcount leak in tcpci_register_port() I got the following report while doing device(mt6370-tcpc) load test with CONFIG_OF_UNITTEST and CONFIG_OF_DYNAMIC enabled: OF: ERROR: memory leak, expected refcount 1 instead of 2, of_node_get()/of_node_put() unbalanced - destroy cset entry: attach overlay node /i2c/pmic@34/tcpc/connector The 'fwnode' set in tcpci_parse_config() which is called in tcpci_register_port(), ... • https://git.kernel.org/stable/c/5e85a04c8c0d271d7561a770b85741f186398868 • CWE-772: Missing Release of Resource after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50245 – rapidio: fix possible UAF when kfifo_alloc() fails
https://notcve.org/view.php?id=CVE-2022-50245
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: rapidio: fix possible UAF when kfifo_alloc() fails If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free priv. But priv is still in the chdev->file_list, then list traversal may cause UAF. This fixes the following smatch warning: drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list In the Linux kernel, the following vulnerability has been resolved: rapidio: fix possible... • https://git.kernel.org/stable/c/e8de370188d098bb49483c287b44925957c3c9b6 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50244 – cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
https://notcve.org/view.php?id=CVE-2022-50244
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() If device_register() fails in cxl_pci_afu|adapter(), the device is not added, device_unregister() can not be called in the error path, otherwise it will cause a null-ptr-deref because of removing not added device. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So split device_unregister() into device_del() and put_dev... • https://git.kernel.org/stable/c/f204e0b8cedd7da1dfcfd05ed6b7692737e24029 •