CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50006 – NFSv4.2 fix problems with __nfs42_ssc_open
https://notcve.org/view.php?id=CVE-2022-50006
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: NFSv4.2 fix problems with __nfs42_ssc_open A destination server while doing a COPY shouldn't accept using the passed in filehandle if its not a regular filehandle. If alloc_file_pseudo() has failed, we need to decrement a reference on the newly created inode, otherwise it leaks. In the Linux kernel, the following vulnerability has been resolved: NFSv4.2 fix problems with __nfs42_ssc_open A destination server while doing a COPY shouldn't acc... • https://git.kernel.org/stable/c/ec4b0925089826af45e99cdf78a8ac84c1d005f1 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50005 – nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout
https://notcve.org/view.php?id=CVE-2022-50005
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout When the pn532 uart device is detaching, the pn532_uart_remove() is called. But there are no functions in pn532_uart_remove() that could delete the cmd_timeout timer, which will cause use-after-free bugs. The process is shown below: (thread 1) | (thread 2) | pn532_uart_send_frame pn532_uart_remove | mod_timer(&pn532->cmd_timeout,...) ... | (wait a time) kfree(pn532) //FREE | pn... • https://git.kernel.org/stable/c/c656aa4c27b17a8c70da223ed5ab42145800d6b5 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50004 – xfrm: policy: fix metadata dst->dev xmit null pointer dereference
https://notcve.org/view.php?id=CVE-2022-50004
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix metadata dst->dev xmit null pointer dereference When we try to transmit an skb with metadata_dst attached (i.e. dst->dev == NULL) through xfrm interface we can hit a null pointer dereference[1] in xfrmi_xmit2() -> xfrm_lookup_with_ifid() due to the check for a loopback skb device when there's no policy which dereferences dst->dev unconditionally. Not having dst->dev can be interepreted as it not being a loopback device, so... • https://git.kernel.org/stable/c/5b7f84b1f9f46327360a64c529433fa0d68cc3f4 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50003 – ice: xsk: prohibit usage of non-balanced queue id
https://notcve.org/view.php?id=CVE-2022-50003
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: xsk: prohibit usage of non-balanced queue id Fix the following scenario: 1. ethtool -L $IFACE rx 8 tx 96 2. xdpsock -q 10 -t -z Above refers to a case where user would like to attach XSK socket in txonly mode at a queue id that does not have a corresponding Rx queue. At this moment ice's XSK logic is tightly bound to act on a "queue pair", e.g. both Tx and Rx queues at a given queue id are disabled/enabled and both of them will get XSK... • https://git.kernel.org/stable/c/2d4238f5569722197612656163d824098208519c •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50001 – netfilter: nft_tproxy: restrict to prerouting hook
https://notcve.org/view.php?id=CVE-2022-50001
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tproxy: restrict to prerouting hook TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this. This fixes a crash (null dereference) when using tproxy from e.g. output. In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tproxy: restrict to prerouting hook TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this. This fixes a crash (null dereference) when using t... • https://git.kernel.org/stable/c/4ed8eb6570a49931c705512060acd50058d61616 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50000 – netfilter: flowtable: fix stuck flows on cleanup due to pending work
https://notcve.org/view.php?id=CVE-2022-50000
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: fix stuck flows on cleanup due to pending work To clear the flow table on flow table free, the following sequence normally happens in order: 1) gc_step work is stopped to disable any further stats/del requests. 2) All flow table entries are set to teardown state. 3) Run gc_step which will queue HW del work for each flow table entry. 4) Waiting for the above del work to finish (flush). 5) Run gc_step again, deleting all... • https://git.kernel.org/stable/c/c29f74e0df7a02b8303bcdce93a7c0132d62577a •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49998 – rxrpc: Fix locking in rxrpc's sendmsg
https://notcve.org/view.php?id=CVE-2022-49998
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix locking in rxrpc's sendmsg Fix three bugs in the rxrpc's sendmsg implementation: (1) rxrpc_new_client_call() should release the socket lock when returning an error from rxrpc_get_call_slot(). (2) rxrpc_wait_for_tx_window_intr() will return without the call mutex held in the event that we're interrupted by a signal whilst waiting for tx space on the socket or relocking the call mutex afterwards. Fix this by: (a) moving the unlock/... • https://git.kernel.org/stable/c/bc5e3a546d553e5223851fc199e69040eb70f68b •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49997 – net: lantiq_xrx200: restore buffer if memory allocation failed
https://notcve.org/view.php?id=CVE-2022-49997
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net: lantiq_xrx200: restore buffer if memory allocation failed In a situation where memory allocation fails, an invalid buffer address is stored. When this descriptor is used again, the system panics in the build_skb() function when accessing memory. In the Linux kernel, the following vulnerability has been resolved: net: lantiq_xrx200: restore buffer if memory allocation failed In a situation where memory allocation fails, an invalid buffe... • https://git.kernel.org/stable/c/7ea6cd16f1599c1eac6018751eadbc5fc736b99a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49993 – loop: Check for overflow while configuring loop
https://notcve.org/view.php?id=CVE-2022-49993
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: loop: Check for overflow while configuring loop The userspace can configure a loop using an ioctl call, wherein a configuration of type loop_config is passed (see lo_ioctl()'s case on line 1550 of drivers/block/loop.c). This proceeds to call loop_configure() which in turn calls loop_set_status_from_info() (see line 1050 of loop.c), passing &config->info which is of type loop_info64*. This function then sets the appropriate values, like the ... • https://git.kernel.org/stable/c/18e28817cb516b39de6281f6db9b0618b2cc7b42 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2022-49990 – s390: fix double free of GS and RI CBs on fork() failure
https://notcve.org/view.php?id=CVE-2022-49990
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: s390: fix double free of GS and RI CBs on fork() failure The pointers for guarded storage and runtime instrumentation control blocks are stored in the thread_struct of the associated task. These pointers are initially copied on fork() via arch_dup_task_struct() and then cleared via copy_thread() before fork() returns. If fork() happens to fail after the initial task dup and before copy_thread(), the newly allocated task and associated threa... • https://git.kernel.org/stable/c/8d9047f8b967ce6181fd824ae922978e1b055cc0 •