CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48978 – HID: core: fix shift-out-of-bounds in hid_report_raw_event
https://notcve.org/view.php?id=CVE-2022-48978
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: HID: core: fix shift-out-of-bounds in hid_report_raw_event Syzbot reported shift-out-of-bounds in hid_report_raw_event. microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0) ====================================================================== UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 shift exponent 127 is too large for 32-bit type 'int' CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.... • https://git.kernel.org/stable/c/dde5845a529ff753364a6d1aea61180946270bfa •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48973 – gpio: amd8111: Fix PCI device reference count leak
https://notcve.org/view.php?id=CVE-2022-48973
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: gpio: amd8111: Fix PCI device reference count leak for_each_pci_dev() is implemented by pci_get_device(). The comment of pci_get_device() says that it will increase the reference count for the returned pci_dev and also decrease the reference count for the input pci_dev @from if it is not NULL. If we break for_each_pci_dev() loop with pdev not NULL, we need to call pci_dev_put() to decrease the reference count. Add the missing pci_dev_put... • https://git.kernel.org/stable/c/f942a7de047d8c599cc1a9a26293c8c7400450ea •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48972 – mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add()
https://notcve.org/view.php?id=CVE-2022-48972
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() Kernel fault injection test reports null-ptr-deref as follows: BUG: kernel NULL pointer dereference, address: 0000000000000008 RIP: 0010:cfg802154_netdev_notifier_call+0x120/0x310 include/linux/list.h:114 Call Trace:
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2022-48969 – xen-netfront: Fix NULL sring after live migration
https://notcve.org/view.php?id=CVE-2022-48969
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: xen-netfront: Fix NULL sring after live migration A NAPI is setup for each network sring to poll data to kernel The sring with source host is destroyed before live migration and new sring with target host is setup after live migration. The NAPI for the old sring is not deleted until setup new sring with target host after migration. With busy_poll/busy_read enabled, the NAPI can be polled before got deleted when resume VM. BUG: unable to ... • https://git.kernel.org/stable/c/4ec2411980d0fd2995e8dea8a06fe57aa47523cb •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48967 – NFC: nci: Bounds check struct nfc_target arrays
https://notcve.org/view.php?id=CVE-2022-48967
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: NFC: nci: Bounds check struct nfc_target arrays While running under CONFIG_FORTIFY_SOURCE=y, syzkaller reported: memcpy: detected field-spanning write (size 129) of single field "target->sensf_res" at net/nfc/nci/ntf.c:260 (size 18) This appears to be a legitimate lack of bounds checking in nci_add_new_protocol(). Add the missing checks. • https://git.kernel.org/stable/c/019c4fbaa790e2b3f11dab0c8b7d9896d77db3e5 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48960 – net: hisilicon: Fix potential use-after-free in hix5hd2_rx()
https://notcve.org/view.php?id=CVE-2022-48960
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net: hisilicon: Fix potential use-after-free in hix5hd2_rx() The skb is delivered to napi_gro_receive() which may free it, after calling this, dereferencing skb may trigger use-after-free. • https://git.kernel.org/stable/c/57c5bc9ad7d799e9507ba6e993398d2c55f03fab •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48958 – ethernet: aeroflex: fix potential skb leak in greth_init_rings()
https://notcve.org/view.php?id=CVE-2022-48958
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ethernet: aeroflex: fix potential skb leak in greth_init_rings() The greth_init_rings() function won't free the newly allocated skb when dma_mapping_error() returns error, so add dev_kfree_skb() to fix it. Compile tested only. • https://git.kernel.org/stable/c/d4c41139df6e74c6fff0cbac43e51cab782133be •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48953 – rtc: cmos: Fix event handler registration ordering issue
https://notcve.org/view.php?id=CVE-2022-48953
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: rtc: cmos: Fix event handler registration ordering issue Because acpi_install_fixed_event_handler() enables the event automatically on success, it is incorrect to call it before the handler routine passed to it is ready to handle events. Unfortunately, the rtc-cmos driver does exactly the incorrect thing by calling cmos_wake_setup(), which passes rtc_handler() to acpi_install_fixed_event_handler(), before cmos_do_probe(), because rtc_han... • https://git.kernel.org/stable/c/a474aaedac99ba86e28ef6c912a7647c482db6dd •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48951 – ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
https://notcve.org/view.php?id=CVE-2022-48951
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() The bounds checks in snd_soc_put_volsw_sx() are only being applied to the first channel, meaning it is possible to write out of bounds values to the second channel in stereo controls. Add appropriate checks. • https://git.kernel.org/stable/c/56288987843c3cb343e81e5fa51549cbaf541bd0 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48950 – perf: Fix perf_pending_task() UaF
https://notcve.org/view.php?id=CVE-2022-48950
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: perf: Fix perf_pending_task() UaF Per syzbot it is possible for perf_pending_task() to run after the event is free()'d. There are two related but distinct cases: - the task_work was already queued before destroying the event; - destroying the event itself queues the task_work. The first cannot be solved using task_work_cancel() since perf_release() itself might be called from a task_work (____fput), which means the current->task_works... • https://git.kernel.org/stable/c/8bffa95ac19ff27c8261904f89d36c7fcf215d59 •