CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49560 – exfat: check if cluster num is valid
https://notcve.org/view.php?id=CVE-2022-49560
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: exfat: check if cluster num is valid Syzbot reported slab-out-of-bounds read in exfat_clear_bitmap. This was triggered by reproducer calling truncute with size 0, which causes the following trace: BUG: KASAN: slab-out-of-bounds in exfat_clear_bitmap+0x147/0x490 fs/exfat/balloc.c:174 Read of size 8 at addr ffff888115aa9508 by task syz-executor251/365 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack_lvl+0x1e2/0x24b lib/dump_st... • https://git.kernel.org/stable/c/1e49a94cf707204b66a3fb242f2814712c941f52 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49559 – KVM: x86: Drop WARNs that assert a triple fault never "escapes" from L2
https://notcve.org/view.php?id=CVE-2022-49559
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Drop WARNs that assert a triple fault never "escapes" from L2 Remove WARNs that sanity check that KVM never lets a triple fault for L2 escape and incorrectly end up in L1. In normal operation, the sanity check is perfectly valid, but it incorrectly assumes that it's impossible for userspace to induce KVM_REQ_TRIPLE_FAULT without bouncing through KVM_RUN (which guarantees kvm_check_nested_state() will see and handle the triple faul... • https://git.kernel.org/stable/c/cb6a32c2b8777ad31a02e585584d869251a790e3 •
CVSS: 5.6EPSS: 0%CPEs: 7EXPL: 0CVE-2022-49558 – netfilter: nf_tables: double hook unregistration in netns path
https://notcve.org/view.php?id=CVE-2022-49558
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: double hook unregistration in netns path __nft_release_hooks() is called from pre_netns exit path which unregisters the hooks, then the NETDEV_UNREGISTER event is triggered which unregisters the hooks again. [ 565.221461] WARNING: CPU: 18 PID: 193 at net/netfilter/core.c:495 __nf_unregister_net_hook+0x247/0x270 [...] [ 565.246890] CPU: 18 PID: 193 Comm: kworker/u64:1 Tainted: G E 5.18.0-rc7+ #27 [ 565.253682] Workqueue... • https://git.kernel.org/stable/c/767d1216bff82507c945e92fe719dff2083bb2f4 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49557 – x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave)
https://notcve.org/view.php?id=CVE-2022-49557
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/fpu: KVM: Set the base guest FPU uABI size to sizeof(struct kvm_xsave) Set the starting uABI size of KVM's guest FPU to 'struct kvm_xsave', i.e. to KVM's historical uABI size. When saving FPU state for usersapce, KVM (well, now the FPU) sets the FP+SSE bits in the XSAVE header even if the host doesn't support XSAVE. Setting the XSAVE header allows the VM to be migrated to a host that does support XSAVE without the new host having to han... • https://git.kernel.org/stable/c/be50b2065dfa3d88428fdfdc340d154d96bf6848 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49556 – KVM: SVM: Use kzalloc for sev ioctl interfaces to prevent kernel data leak
https://notcve.org/view.php?id=CVE-2022-49556
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: KVM: SVM: Use kzalloc for sev ioctl interfaces to prevent kernel data leak For some sev ioctl interfaces, the length parameter that is passed maybe less than or equal to SEV_FW_BLOB_MAX_SIZE, but larger than the data that PSP firmware returns. In this case, kmalloc will allocate memory that is the size of the input rather than the size of the data. Since PSP firmware doesn't fully overwrite the allocated buffer, these sev ioctl interface ma... • https://git.kernel.org/stable/c/eaf78265a4ab33935d3a0f1407ce4a91aac4d4d5 •
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49555 – Bluetooth: hci_qca: Use del_timer_sync() before freeing
https://notcve.org/view.php?id=CVE-2022-49555
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_qca: Use del_timer_sync() before freeing While looking at a crash report on a timer list being corrupted, which usually happens when a timer is freed while still active. This is commonly triggered by code calling del_timer() instead of del_timer_sync() just before freeing. One possible culprit is the hci_qca driver, which does exactly that. Eric mentioned that wake_retrans_timer could be rearmed via the work queue, so also mo... • https://git.kernel.org/stable/c/0ff252c1976da5d80db1377eb39b551931e61826 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49554 – zsmalloc: fix races between asynchronous zspage free and page migration
https://notcve.org/view.php?id=CVE-2022-49554
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: zsmalloc: fix races between asynchronous zspage free and page migration The asynchronous zspage free worker tries to lock a zspage's entire page list without defending against page migration. Since pages which haven't yet been locked can concurrently migrate off the zspage page list while lock_zspage() churns away, lock_zspage() can suffer from a few different lethal races. It can lock a page which no longer belongs to the zspage and unsafe... • https://git.kernel.org/stable/c/77ff465799c60294e248000cd22ae8171da3304c •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49553 – fs/ntfs3: validate BOOT sectors_per_clusters
https://notcve.org/view.php?id=CVE-2022-49553
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: validate BOOT sectors_per_clusters When the NTFS BOOT sectors_per_clusters field is > 0x80, it represents a shift value. Make sure that the shift value is not too large before using it (NTFS max cluster size is 2MB). Return -EVINVAL if it too large. This prevents negative shift values and shift values that are larger than the field size. Prevents this UBSAN error: UBSAN: shift-out-of-bounds in .. • https://git.kernel.org/stable/c/82cae269cfa953032fbb8980a7d554d60fb00b17 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49552 – bpf: Fix combination of jit blinding and pointers to bpf subprogs.
https://notcve.org/view.php?id=CVE-2022-49552
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix combination of jit blinding and pointers to bpf subprogs. The combination of jit blinding and pointers to bpf subprogs causes: [ 36.989548] BUG: unable to handle page fault for address: 0000000100000001 [ 36.990342] #PF: supervisor instruction fetch in kernel mode [ 36.990968] #PF: error_code(0x0010) - not-present page [ 36.994859] RIP: 0010:0x100000001 [ 36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7. [ 37.004091... • https://git.kernel.org/stable/c/69c087ba6225b574afb6e505b72cb75242a3d844 •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49551 – usb: isp1760: Fix out-of-bounds array access
https://notcve.org/view.php?id=CVE-2022-49551
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: isp1760: Fix out-of-bounds array access Running the driver through kasan gives an interesting splat: BUG: KASAN: global-out-of-bounds in isp1760_register+0x180/0x70c Read of size 20 at addr f1db2e64 by task swapper/0/1 (...) isp1760_register from isp1760_plat_probe+0x1d8/0x220 (...) This happens because the loop reading the regmap fields for the different ISP1760 variants look like this: for (i = 0; i < HC_FIELD_MAX; i++) { ... } Meani... • https://git.kernel.org/stable/c/1da9e1c06873350c99ba49a052f92de85f2c69f2 •