CVSS: 3.3EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48794 – net: ieee802154: at86rf230: Stop leaking skb's
https://notcve.org/view.php?id=CVE-2022-48794
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: at86rf230: Stop leaking skb's Upon error the ieee802154_xmit_complete() helper is not called. Only ieee802154_wake_queue() is called manually. In the Tx case we then leak the skb structure. Free the skb structure upon error before returning when appropriate. As the 'is_tx = 0' cannot be moved in the complete handler because of a possible race between the delay in switching to STATE_RX_AACK_ON and a new interrupt, we introdu... • https://git.kernel.org/stable/c/d2a1eaf51b7d4412319adb6acef114ba472d1692 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48793 – KVM: x86: nSVM: fix potential NULL derefernce on nested migration
https://notcve.org/view.php?id=CVE-2022-48793
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: nSVM: fix potential NULL derefernce on nested migration Turns out that due to review feedback and/or rebases I accidentally moved the call to nested_svm_load_cr3 to be too early, before the NPT is enabled, which is very wrong to do. KVM can't even access guest memory at that point as nested NPT is needed for that, and of course it won't initialize the walk_mmu, which is main issue the patch was addressing. Fix this for real. A vul... • https://git.kernel.org/stable/c/232f75d3b4b5456de6f0b671aa86345d62de1473 • CWE-476: NULL Pointer Dereference •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48792 – scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task
https://notcve.org/view.php?id=CVE-2022-48792
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted SSP/STP sas_task Currently a use-after-free may occur if a sas_task is aborted by the upper layer before we handle the I/O completion in mpi_ssp_completion() or mpi_sata_completion(). In this case, the following are the two steps in handling those I/O completions: - Call complete() to inform the upper layer handler of completion of the I/O. - Release driver resources associated with the sas_task ... • https://git.kernel.org/stable/c/fe9ac3eaa2e387a5742b380b73a5a6bc237bf184 •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48791 – scsi: pm8001: Fix use-after-free for aborted TMF sas_task
https://notcve.org/view.php?id=CVE-2022-48791
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: scsi: pm8001: Fix use-after-free for aborted TMF sas_task Currently a use-after-free may occur if a TMF sas_task is aborted before we handle the IO completion in mpi_ssp_completion(). The abort occurs due to timeout. When the timeout occurs, the SAS_TASK_STATE_ABORTED flag is set and the sas_task is freed in pm8001_exec_internal_tmf_task(). However, if the I/O completion occurs later, the I/O completion still thinks that the sas_task is ava... • https://git.kernel.org/stable/c/d872e7b5fe38f325f5206b6872746fa02c2b4819 •
CVSS: 7.0EPSS: 0%CPEs: 6EXPL: 0CVE-2022-48790 – nvme: fix a possible use-after-free in controller reset during load
https://notcve.org/view.php?id=CVE-2022-48790
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: nvme: fix a possible use-after-free in controller reset during load Unlike .queue_rq, in .submit_async_event drivers may not check the ctrl readiness for AER submission. This may lead to a use-after-free condition that was observed with nvme-tcp. The race condition may happen in the following scenario: 1. driver executes its reset_ctrl_work 2. -> nvme_stop_ctrl - flushes ctrl async_event_work 3. ctrl sends AEN which is received by the host,... • https://git.kernel.org/stable/c/a25e460fbb0340488d119fb2e28fe3f829b7417e •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48789 – nvme-tcp: fix possible use-after-free in transport error_recovery work
https://notcve.org/view.php?id=CVE-2022-48789
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix possible use-after-free in transport error_recovery work While nvme_tcp_submit_async_event_work is checking the ctrl and queue state before preparing the AER command and scheduling io_work, in order to fully prevent a race where this check is not reliable the error recovery work must flush async_event_work before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submit_... • https://git.kernel.org/stable/c/61a26ffd5ad3ece456d74c4c79f7b5e3f440a141 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-48788 – nvme-rdma: fix possible use-after-free in transport error_recovery work
https://notcve.org/view.php?id=CVE-2022-48788
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: nvme-rdma: fix possible use-after-free in transport error_recovery work While nvme_rdma_submit_async_event_work is checking the ctrl and queue state before preparing the AER command and scheduling io_work, in order to fully prevent a race where this check is not reliable the error recovery work must flush async_event_work before continuing to destroy the admin queue after setting the ctrl state to RESETTING such that there is no race .submi... • https://git.kernel.org/stable/c/5593f72d1922403c11749532e3a0aa4cf61414e9 •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-48787 – iwlwifi: fix use-after-free
https://notcve.org/view.php?id=CVE-2022-48787
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: iwlwifi: fix use-after-free If no firmware was present at all (or, presumably, all of the firmware files failed to parse), we end up unbinding by calling device_release_driver(), which calls remove(), which then in iwlwifi calls iwl_drv_stop(), freeing the 'drv' struct. However the new code I added will still erroneously access it after it was freed. Set 'failure=false' in this case to avoid the access, all data was already freed anyway. In... • https://git.kernel.org/stable/c/8e10749fa1a454c1e7214f36cec83241f5a36ef1 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48786 – vsock: remove vsock from connected table when connect is interrupted by a signal
https://notcve.org/view.php?id=CVE-2022-48786
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: vsock: remove vsock from connected table when connect is interrupted by a signal vsock_connect() expects that the socket could already be in the TCP_ESTABLISHED state when the connecting task wakes up with a signal pending. If this happens the socket will be in the connected table, and it is not removed when the socket state is reset. In this situation it's common for the process to retry connect(), and if the connection is successful the s... • https://git.kernel.org/stable/c/d021c344051af91f42c5ba9fdedc176740cbd238 • CWE-371: State Issues •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2021-47624 – net/sunrpc: fix reference count leaks in rpc_sysfs_xprt_state_change
https://notcve.org/view.php?id=CVE-2021-47624
16 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: net/sunrpc: fix reference count leaks in rpc_sysfs_xprt_state_change The refcount leak issues take place in an error handling path. When the 3rd argument buf doesn't match with "offline", "online" or "remove", the function simply returns -EINVAL and forgets to decrease the reference count of a rpc_xprt object and a rpc_xprt_switch object increased by rpc_sysfs_xprt_kobj_get_xprt() and rpc_sysfs_xprt_kobj_get_xprt_switch(), causing reference... • https://git.kernel.org/stable/c/4b22aa42bd4d2d630ef1854c139275c3532937cb • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •