CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49555 – Bluetooth: hci_qca: Use del_timer_sync() before freeing
https://notcve.org/view.php?id=CVE-2022-49555
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_qca: Use del_timer_sync() before freeing While looking at a crash report on a timer list being corrupted, which usually happens when a timer is freed while still active. This is commonly triggered by code calling del_timer() instead of del_timer_sync() just before freeing. One possible culprit is the hci_qca driver, which does exactly that. Eric mentioned that wake_retrans_timer could be rearmed via the work queue, so also mo... • https://git.kernel.org/stable/c/0ff252c1976da5d80db1377eb39b551931e61826 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49554 – zsmalloc: fix races between asynchronous zspage free and page migration
https://notcve.org/view.php?id=CVE-2022-49554
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: zsmalloc: fix races between asynchronous zspage free and page migration The asynchronous zspage free worker tries to lock a zspage's entire page list without defending against page migration. Since pages which haven't yet been locked can concurrently migrate off the zspage page list while lock_zspage() churns away, lock_zspage() can suffer from a few different lethal races. It can lock a page which no longer belongs to the zspage and unsafe... • https://git.kernel.org/stable/c/77ff465799c60294e248000cd22ae8171da3304c •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49553 – fs/ntfs3: validate BOOT sectors_per_clusters
https://notcve.org/view.php?id=CVE-2022-49553
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: validate BOOT sectors_per_clusters When the NTFS BOOT sectors_per_clusters field is > 0x80, it represents a shift value. Make sure that the shift value is not too large before using it (NTFS max cluster size is 2MB). Return -EVINVAL if it too large. This prevents negative shift values and shift values that are larger than the field size. Prevents this UBSAN error: UBSAN: shift-out-of-bounds in .. • https://git.kernel.org/stable/c/82cae269cfa953032fbb8980a7d554d60fb00b17 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49552 – bpf: Fix combination of jit blinding and pointers to bpf subprogs.
https://notcve.org/view.php?id=CVE-2022-49552
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix combination of jit blinding and pointers to bpf subprogs. The combination of jit blinding and pointers to bpf subprogs causes: [ 36.989548] BUG: unable to handle page fault for address: 0000000100000001 [ 36.990342] #PF: supervisor instruction fetch in kernel mode [ 36.990968] #PF: error_code(0x0010) - not-present page [ 36.994859] RIP: 0010:0x100000001 [ 36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7. [ 37.004091... • https://git.kernel.org/stable/c/69c087ba6225b574afb6e505b72cb75242a3d844 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49551 – usb: isp1760: Fix out-of-bounds array access
https://notcve.org/view.php?id=CVE-2022-49551
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: isp1760: Fix out-of-bounds array access Running the driver through kasan gives an interesting splat: BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c Read of size 20 at addr f1db2e64 by task swapper/0/1 (...) isp1760_register from isp1760_plat_probe+0x1d8/0x220 (...) This happens because the loop reading the regmap fields for the different ISP1760 variants look like this: for (i = 0; i < HC_FIELD_MAX; i++) { ... } Meani... • https://git.kernel.org/stable/c/1da9e1c06873350c99ba49a052f92de85f2c69f2 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49549 – x86/MCE/AMD: Fix memory leak when threshold_create_bank() fails
https://notcve.org/view.php?id=CVE-2022-49549
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/MCE/AMD: Fix memory leak when threshold_create_bank() fails In mce_threshold_create_device(), if threshold_create_bank() fails, the previously allocated threshold banks array @bp will be leaked because the call to mce_threshold_remove_device() will not free it. This happens because mce_threshold_remove_device() fetches the pointer through the threshold_banks per-CPU variable but bp is written there only after the bank creation is succes... • https://git.kernel.org/stable/c/6458de97fc15530b54477c4e2b70af653e8ac3d9 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49548 – bpf: Fix potential array overflow in bpf_trampoline_get_progs()
https://notcve.org/view.php?id=CVE-2022-49548
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix potential array overflow in bpf_trampoline_get_progs() The cnt value in the 'cnt >= BPF_MAX_TRAMP_PROGS' check does not include BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of the attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline can exceed BPF_MAX_TRAMP_PROGS. When this happens, the assignment '*progs++ = aux->prog' in bpf_trampoline_get_progs() will cause progs array overflow as the progs field in the bpf_tramp... • https://git.kernel.org/stable/c/88fd9e5352fe05f7fe57778293aebd4cd106960b •
CVSS: 5.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49547 – btrfs: fix deadlock between concurrent dio writes when low on free data space
https://notcve.org/view.php?id=CVE-2022-49547
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock between concurrent dio writes when low on free data space When reserving data space for a direct IO write we can end up deadlocking if we have multiple tasks attempting a write to the same file range, there are multiple extents covered by that file range, we are low on available space for data and the writes don't expand the inode's i_size. The deadlock can happen like this: 1) We have a file with an i_size of 1M, at off... • https://git.kernel.org/stable/c/f0bfa76a11e93d0fe2c896fcb566568c5e8b5d3f •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49546 – x86/kexec: fix memory leak of elf header buffer
https://notcve.org/view.php?id=CVE-2022-49546
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/kexec: fix memory leak of elf header buffer This is reported by kmemleak detector: unreferenced object 0xffffc900002a9000 (size 4096): comm "kexec", pid 14950, jiffies 4295110793 (age 373.951s) hex dump (first 32 bytes): 7f 45 4c 46 02 01 01 00 00 00 00 00 00 00 00 00 .ELF............ 04 00 3e 00 01 00 00 00 00 00 00 00 00 00 00 00 ..>............. backtrace: [<0000000016a8ef9f>] __vmalloc_node_range+0x101/0x170 [<000000002b66b6c0>] __v... • https://git.kernel.org/stable/c/8765a423a87d74ef24ea02b43b2728fe4039f248 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49545 – ALSA: usb-audio: Cancel pending work at closing a MIDI substream
https://notcve.org/view.php?id=CVE-2022-49545
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Cancel pending work at closing a MIDI substream At closing a USB MIDI output substream, there might be still a pending work, which would eventually access the rawmidi runtime object that is being released. For fixing the race, make sure to cancel the pending work at closing. In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Cancel pending work at closing a MIDI substream At closing a USB M... • https://git.kernel.org/stable/c/40bdb5ec957aca5c5c1924602bef6b0ab18e22d3 •