
CVE-2022-49966 – drm/amd/pm: add missing ->fini_microcode interface for Sienna Cichlid
https://notcve.org/view.php?id=CVE-2022-49966
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: add missing ->fini_microcode interface for Sienna Cichlid To avoid any potential memory leak. • https://git.kernel.org/stable/c/60d522f317078381ff8a3599fe808f96fc256cd5 •

CVE-2022-49965 – drm/amd/pm: add missing ->fini_xxxx interfaces for some SMU13 asics
https://notcve.org/view.php?id=CVE-2022-49965
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: add missing ->fini_xxxx interfaces for some SMU13 asics Without these, potential memory leak may be induced. • https://git.kernel.org/stable/c/22a75c616f1971c23838506b14971a4ef4a66bd7 •

CVE-2022-49964 – arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level
https://notcve.org/view.php?id=CVE-2022-49964
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned fw_level Though acpi_find_last_cache_level() always returned signed value and the document states it will return any errors caused by lack of a PPTT table, it never returned negative values before. Commit 0c80f9e165f8 ("ACPI: PPTT: Leave the table mapped for the runtime usage") however changed it by returning -ENOENT if no PPTT was found. The value returned from ac... • https://git.kernel.org/stable/c/1668c38ef2e5bb80dbee88afcecfcdc3e7abc2aa •

CVE-2022-49957 – kcm: fix strp_init() order and cleanup
https://notcve.org/view.php?id=CVE-2022-49957
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: kcm: fix strp_init() order and cleanup strp_init() is called just a few lines above this csk->sk_user_data check, it also initializes strp->work etc., therefore, it is unnecessary to call strp_done() to cancel the freshly initialized work. And if sk_user_data is already used by KCM, psock->strp should not be touched, particularly strp->work state, so we need to move strp_init() after the csk->sk_user_data check. This also makes a lockdep wa... • https://git.kernel.org/stable/c/44890e9ff771ef11777b2d1ebf8589255eb12502 •

CVE-2022-49956 – staging: rtl8712: fix use after free bugs
https://notcve.org/view.php?id=CVE-2022-49956
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: staging: rtl8712: fix use after free bugs _Read/Write_MACREG callbacks are NULL so the read/write_macreg_hdl() functions don't do anything except free the "pcmd" pointer. It results in a use after free. Delete them. In the Linux kernel, the following vulnerability has been resolved: staging: rtl8712: fix use after free bugs _Read/Write_MACREG callbacks are NULL so the read/write_macreg_hdl() functions don't do anything except free the "pcmd... • https://git.kernel.org/stable/c/2865d42c78a9121caad52cb02d1fbb7f5cdbc4ef •

CVE-2022-49954 – Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag
https://notcve.org/view.php?id=CVE-2022-49954
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag syzbot is reporting hung task at __input_unregister_device() [1], for iforce_close() waiting at wait_event_interruptible() with dev->mutex held is blocking input_disconnect_device() from __input_unregister_device(). It seems that the cause is simply that commit c2b27ef672992a20 ("Input: iforce - wait for command completion when closing the device") forgot to call wake_up() afte... • https://git.kernel.org/stable/c/c2b27ef672992a206e5b221b8676972dd840ffa5 •

CVE-2022-49948 – vt: Clear selection before changing the font
https://notcve.org/view.php?id=CVE-2022-49948
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: vt: Clear selection before changing the font When changing the console font with ioctl(KDFONTOP) the new font size can be bigger than the previous font. A previous selection may thus now be outside of the new screen size and thus trigger out-of-bounds accesses to graphics memory if the selection is removed in vc_do_resize(). Prevent such out-of-memory accesses by dropping the selection before the various con_font_set() console handlers are ... • https://git.kernel.org/stable/c/c555cf04684fde39b5b0dd9fd80730030ee10c4a •

CVE-2022-49945 – hwmon: (gpio-fan) Fix array out of bounds access
https://notcve.org/view.php?id=CVE-2022-49945
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (gpio-fan) Fix array out of bounds access The driver does not check if the cooling state passed to gpio_fan_set_cur_state() exceeds the maximum cooling state as stored in fan_data->num_speeds. Since the cooling state is later used as an array index in set_fan_speed(), an array out of bounds access can occur. This can be exploited by setting the state of the thermal cooling device to arbitrary values, causing for example a kernel oops... • https://git.kernel.org/stable/c/b5cf88e46badea6d600d8515edea23814e03444d •

CVE-2022-49942 – wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected
https://notcve.org/view.php?id=CVE-2022-49942
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected When we are not connected to a channel, sending channel "switch" announcement doesn't make any sense. The BSS list is empty in that case. This causes the for loop in cfg80211_get_bss() to be bypassed, so the function returns NULL (check line 1424 of net/wireless/scan.c), causing the WARN_ON() in ieee80211_ibss_csa_beacon() to get triggered (check line 500 of net/mac802... • https://git.kernel.org/stable/c/cd7760e62c2ac8581f050b2d36501d1a60beaf83 •

CVE-2022-49939 – binder: fix UAF of ref->proc caused by race condition
https://notcve.org/view.php?id=CVE-2022-49939
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of ref->proc caused by race condition A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binder_deferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed referen... • https://git.kernel.org/stable/c/229f47603dd306bc0eb1a831439adb8e48bb0eae •