CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50007 – xfrm: fix refcount leak in __xfrm_policy_check()
https://notcve.org/view.php?id=CVE-2022-50007
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: xfrm: fix refcount leak in __xfrm_policy_check() The issue happens on an error path in __xfrm_policy_check(). When the fetching process of the object `pols[1]` fails, the function simply returns 0, forgetting to decrement the reference count of `pols[0]`, which is incremented earlier by either xfrm_sk_policy_lookup() or xfrm_policy_lookup(). This may result in memory leaks. Fix it by decreasing the reference count of `pols[0]` in that path.... • https://git.kernel.org/stable/c/134b0fc544ba062498451611cb6f3e4454221b3d •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50006 – NFSv4.2 fix problems with __nfs42_ssc_open
https://notcve.org/view.php?id=CVE-2022-50006
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: NFSv4.2 fix problems with __nfs42_ssc_open A destination server while doing a COPY shouldn't accept using the passed in filehandle if its not a regular filehandle. If alloc_file_pseudo() has failed, we need to decrement a reference on the newly created inode, otherwise it leaks. In the Linux kernel, the following vulnerability has been resolved: NFSv4.2 fix problems with __nfs42_ssc_open A destination server while doing a COPY shouldn't acc... • https://git.kernel.org/stable/c/ec4b0925089826af45e99cdf78a8ac84c1d005f1 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50005 – nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout
https://notcve.org/view.php?id=CVE-2022-50005
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: nfc: pn533: Fix use-after-free bugs caused by pn532_cmd_timeout When the pn532 uart device is detaching, the pn532_uart_remove() is called. But there are no functions in pn532_uart_remove() that could delete the cmd_timeout timer, which will cause use-after-free bugs. The process is shown below: (thread 1) | (thread 2) | pn532_uart_send_frame pn532_uart_remove | mod_timer(&pn532->cmd_timeout,...) ... | (wait a time) kfree(pn532) //FREE | pn... • https://git.kernel.org/stable/c/c656aa4c27b17a8c70da223ed5ab42145800d6b5 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50004 – xfrm: policy: fix metadata dst->dev xmit null pointer dereference
https://notcve.org/view.php?id=CVE-2022-50004
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: xfrm: policy: fix metadata dst->dev xmit null pointer dereference When we try to transmit an skb with metadata_dst attached (i.e. dst->dev == NULL) through xfrm interface we can hit a null pointer dereference[1] in xfrmi_xmit2() -> xfrm_lookup_with_ifid() due to the check for a loopback skb device when there's no policy which dereferences dst->dev unconditionally. Not having dst->dev can be interepreted as it not being a loopback device, so... • https://git.kernel.org/stable/c/5b7f84b1f9f46327360a64c529433fa0d68cc3f4 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50003 – ice: xsk: prohibit usage of non-balanced queue id
https://notcve.org/view.php?id=CVE-2022-50003
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: ice: xsk: prohibit usage of non-balanced queue id Fix the following scenario: 1. ethtool -L $IFACE rx 8 tx 96 2. xdpsock -q 10 -t -z Above refers to a case where user would like to attach XSK socket in txonly mode at a queue id that does not have a corresponding Rx queue. At this moment ice's XSK logic is tightly bound to act on a "queue pair", e.g. both Tx and Rx queues at a given queue id are disabled/enabled and both of them will get XSK... • https://git.kernel.org/stable/c/2d4238f5569722197612656163d824098208519c •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-50002 – net/mlx5: LAG, fix logic over MLX5_LAG_FLAG_NDEVS_READY
https://notcve.org/view.php?id=CVE-2022-50002
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5: LAG, fix logic over MLX5_LAG_FLAG_NDEVS_READY Only set MLX5_LAG_FLAG_NDEVS_READY if both netdevices are registered. Doing so guarantees that both ldev->pf[MLX5_LAG_P0].dev and ldev->pf[MLX5_LAG_P1].dev have valid pointers when MLX5_LAG_FLAG_NDEVS_READY is set. The core issue is asymmetry in setting MLX5_LAG_FLAG_NDEVS_READY and clearing it. Setting it is done wrongly when both ldev->pf[MLX5_LAG_P0].dev and ldev->pf[MLX5_LAG_P1].de... • https://git.kernel.org/stable/c/8a66e45859797e5dd77ff17dd37781f99d5f5b9b •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50001 – netfilter: nft_tproxy: restrict to prerouting hook
https://notcve.org/view.php?id=CVE-2022-50001
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tproxy: restrict to prerouting hook TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this. This fixes a crash (null dereference) when using tproxy from e.g. output. In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tproxy: restrict to prerouting hook TPROXY is only allowed from prerouting, but nft_tproxy doesn't check this. This fixes a crash (null dereference) when using t... • https://git.kernel.org/stable/c/4ed8eb6570a49931c705512060acd50058d61616 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50000 – netfilter: flowtable: fix stuck flows on cleanup due to pending work
https://notcve.org/view.php?id=CVE-2022-50000
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: fix stuck flows on cleanup due to pending work To clear the flow table on flow table free, the following sequence normally happens in order: 1) gc_step work is stopped to disable any further stats/del requests. 2) All flow table entries are set to teardown state. 3) Run gc_step which will queue HW del work for each flow table entry. 4) Waiting for the above del work to finish (flush). 5) Run gc_step again, deleting all... • https://git.kernel.org/stable/c/c29f74e0df7a02b8303bcdce93a7c0132d62577a •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49999 – btrfs: fix space cache corruption and potential double allocations
https://notcve.org/view.php?id=CVE-2022-49999
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix space cache corruption and potential double allocations When testing space_cache v2 on a large set of machines, we encountered a few symptoms: 1. "unable to add free space :-17" (EEXIST) errors. 2. Missing free space info items, sometimes caught with a "missing free space info for X" error. 3. Double-accounted space: ranges that were allocated in the extent tree and also marked as free in the free space tree, ranges that were mar... • https://git.kernel.org/stable/c/d0c2f4fa555e70324ec2a129b822ab58f172cc62 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49998 – rxrpc: Fix locking in rxrpc's sendmsg
https://notcve.org/view.php?id=CVE-2022-49998
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix locking in rxrpc's sendmsg Fix three bugs in the rxrpc's sendmsg implementation: (1) rxrpc_new_client_call() should release the socket lock when returning an error from rxrpc_get_call_slot(). (2) rxrpc_wait_for_tx_window_intr() will return without the call mutex held in the event that we're interrupted by a signal whilst waiting for tx space on the socket or relocking the call mutex afterwards. Fix this by: (a) moving the unlock/... • https://git.kernel.org/stable/c/bc5e3a546d553e5223851fc199e69040eb70f68b •