CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49946 – clk: bcm: rpi: Prevent out-of-bounds access
https://notcve.org/view.php?id=CVE-2022-49946
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Prevent out-of-bounds access The while loop in raspberrypi_discover_clocks() relies on the assumption that the id of the last clock element is zero. Because this data comes from the Videocore firmware and it doesn't guarantuee such a behavior this could lead to out-of-bounds access. So fix this by providing a sentinel element. In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Prevent out-of-bo... • https://git.kernel.org/stable/c/93d2725affd65686792f4b57e49ef660f3c8c0f9 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49945 – hwmon: (gpio-fan) Fix array out of bounds access
https://notcve.org/view.php?id=CVE-2022-49945
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (gpio-fan) Fix array out of bounds access The driver does not check if the cooling state passed to gpio_fan_set_cur_state() exceeds the maximum cooling state as stored in fan_data->num_speeds. Since the cooling state is later used as an array index in set_fan_speed(), an array out of bounds access can occur. This can be exploited by setting the state of the thermal cooling device to arbitrary values, causing for example a kernel oops... • https://git.kernel.org/stable/c/b5cf88e46badea6d600d8515edea23814e03444d •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49944 – Revert "usb: typec: ucsi: add a common function ucsi_unregister_connectors()"
https://notcve.org/view.php?id=CVE-2022-49944
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "usb: typec: ucsi: add a common function ucsi_unregister_connectors()" The recent commit 87d0e2f41b8c ("usb: typec: ucsi: add a common function ucsi_unregister_connectors()") introduced a regression that caused NULL dereference at reading the power supply sysfs. It's a stale sysfs entry that should have been removed but remains with NULL ops. The commit changed the error handling to skip the entries after a NULL con->wq, and this lea... • https://git.kernel.org/stable/c/87d0e2f41b8cc2018499be4e8003fa8c09b6f2fb •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-49943 – USB: gadget: Fix obscure lockdep violation for udc_mutex
https://notcve.org/view.php?id=CVE-2022-49943
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix obscure lockdep violation for udc_mutex A recent commit expanding the scope of the udc_lock mutex in the gadget core managed to cause an obscure and slightly bizarre lockdep violation. In abbreviated form: ====================================================== WARNING: possible circular locking dependency detected 5.19.0-rc7+ #12510 Not tainted ------------------------------------------------------ udevadm/312 is trying to ... • https://git.kernel.org/stable/c/f44b0b95d50fffeca036e1ba36770390e0b519dd •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49942 – wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected
https://notcve.org/view.php?id=CVE-2022-49942
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected When we are not connected to a channel, sending channel "switch" announcement doesn't make any sense. The BSS list is empty in that case. This causes the for loop in cfg80211_get_bss() to be bypassed, so the function returns NULL (check line 1424 of net/wireless/scan.c), causing the WARN_ON() in ieee80211_ibss_csa_beacon() to get triggered (check line 500 of net/mac802... • https://git.kernel.org/stable/c/cd7760e62c2ac8581f050b2d36501d1a60beaf83 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49940 – tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf()
https://notcve.org/view.php?id=CVE-2022-49940
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf() A null pointer dereference can happen when attempting to access the "gsm->receive()" function in gsmld_receive_buf(). Currently, the code assumes that gsm->recieve is only called after MUX activation. Since the gsmld_receive_buf() function can be accessed without the need to initialize the MUX, the gsm->receive() function will not be set and a NULL pointer dereference will o... • https://git.kernel.org/stable/c/dfa9b6d34aac2154b5e926d7a7a061123bf137c6 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2022-49939 – binder: fix UAF of ref->proc caused by race condition
https://notcve.org/view.php?id=CVE-2022-49939
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of ref->proc caused by race condition A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binder_deferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed referen... • https://git.kernel.org/stable/c/229f47603dd306bc0eb1a831439adb8e48bb0eae •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49938 – cifs: fix small mempool leak in SMB2_negotiate()
https://notcve.org/view.php?id=CVE-2022-49938
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: fix small mempool leak in SMB2_negotiate() In some cases of failure (dialect mismatches) in SMB2_negotiate(), after the request is sent, the checks would return -EIO when they should be rather setting rc = -EIO and jumping to neg_exit to free the response buffer from mempool. In the Linux kernel, the following vulnerability has been resolved: cifs: fix small mempool leak in SMB2_negotiate() In some cases of failure (dialect mismatches... • https://git.kernel.org/stable/c/9e3c9efa7caf16e5acc05eab5e4d0a714e1610b0 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49937 – media: mceusb: Use new usb_control_msg_*() routines
https://notcve.org/view.php?id=CVE-2022-49937
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: media: mceusb: Use new usb_control_msg_*() routines Automatic kernel fuzzing led to a WARN about invalid pipe direction in the mceusb driver: ------------[ cut here ]------------ usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40 WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410 usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-0020... • https://git.kernel.org/stable/c/587f793c64d99d92be8ef01c4c69d885a3f2edb6 •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49936 – USB: core: Prevent nested device-reset calls
https://notcve.org/view.php?id=CVE-2022-49936
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: USB: core: Prevent nested device-reset calls Automatic kernel fuzzing revealed a recursive locking violation in usb-storage: ============================================ WARNING: possible recursive locking detected 5.18.0 #3 Not tainted -------------------------------------------- kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 bu... • https://git.kernel.org/stable/c/d90419b8b8322b6924f6da9da952647f2dadc21b •