CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49913 – btrfs: fix inode list leak during backref walking at find_parent_nodes()
https://notcve.org/view.php?id=CVE-2022-49913
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix inode list leak during backref walking at find_parent_nodes() During backref walking, at find_parent_nodes(), if we are dealing with a data extent and we get an error while resolving the indirect backrefs, at resolve_indirect_refs(), or in the while loop that iterates over the refs in the direct refs rbtree, we end up leaking the inode lists attached to the direct refs we have in the direct refs rbtree that were not yet added to ... • https://git.kernel.org/stable/c/86d5f994425252d8a40e2184c94a2682ae8ecfbf •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49912 – btrfs: fix ulist leaks in error paths of qgroup self tests
https://notcve.org/view.php?id=CVE-2022-49912
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix ulist leaks in error paths of qgroup self tests In the test_no_shared_qgroup() and test_multiple_refs() qgroup self tests, if we fail to add the tree ref, remove the extent item or remove the extent ref, we are returning from the test function without freeing the "old_roots" ulist that was allocated by the previous calls to btrfs_find_all_roots(). Fix that by calling ulist_free() before returning. In the Linux kernel, the followi... • https://git.kernel.org/stable/c/442244c9633292a147ab2b29e7007a7c8a3909b2 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49911 – netfilter: ipset: enforce documented limit to prevent allocating huge memory
https://notcve.org/view.php?id=CVE-2022-49911
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: enforce documented limit to prevent allocating huge memory Daniel Xu reported that the hash:net,iface type of the ipset subsystem does not limit adding the same network with different interfaces to a set, which can lead to huge memory usage or allocation failure. The quick reproducer is $ ipset create ACL.IN.ALL_PERMIT hash:net,iface hashsize 1048576 timeout 0 $ for i in $(seq 0 100); do /sbin/ipset add ACL.IN.ALL_PERMIT 0... • https://git.kernel.org/stable/c/ccf0a4b7fc688561428290265e4effde41446668 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49910 – Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu
https://notcve.org/view.php?id=CVE-2022-49910
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu Fix the race condition between the following two flows that run in parallel: 1. l2cap_reassemble_sdu -> chan->ops->recv (l2cap_sock_recv_cb) -> __sock_queue_rcv_skb. 2. bt_sock_recvmsg -> skb_recv_datagram, skb_free_datagram. An SKB can be queued by the first flow and immediately dequeued and freed by the second flow, therefore the callers of l2cap_reassemble_sdu can't use ... • https://git.kernel.org/stable/c/4b51dae96731c9d82f5634e75ac7ffd3b9c1b060 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-49909 – Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
https://notcve.org/view.php?id=CVE-2022-49909
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() When l2cap_recv_frame() is invoked to receive data, and the cid is L2CAP_CID_A2MP, if the channel does not exist, it will create a channel. However, after a channel is created, the hold operation of the channel is not performed. In this case, the value of channel reference counting is 1. As a result, after hci_error_reset() is triggered, l2cap_conn_del() invokes the close hook functio... • https://git.kernel.org/stable/c/d255c861e268ba342e855244639a15f12d7a0bf2 •
CVSS: 5.7EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49908 – Bluetooth: L2CAP: Fix memory leak in vhci_write
https://notcve.org/view.php?id=CVE-2022-49908
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: Fix memory leak in vhci_write Syzkaller reports a memory leak as follows: ==================================== BUG: memory leak unreferenced object 0xffff88810d81ac00 (size 240): [...] hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49907 – net: mdio: fix undefined behavior in bit shift for __mdiobus_register
https://notcve.org/view.php?id=CVE-2022-49907
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net: mdio: fix undefined behavior in bit shift for __mdiobus_register Shifting signed 32-bit value by 31 bits is undefined, so changing significant bit to unsigned. The UBSAN warning calltrace like below: UBSAN: shift-out-of-bounds in drivers/net/phy/mdio_bus.c:586:27 left shift of 1 by 31 places cannot be represented in type 'int' Call Trace:
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49906 – ibmvnic: Free rwi on reset success
https://notcve.org/view.php?id=CVE-2022-49906
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Free rwi on reset success Free the rwi structure in the event that the last rwi in the list processed successfully. The logic in commit 4f408e1fa6e1 ("ibmvnic: retry reset if there are no other resets") introduces an issue that results in a 32 byte memory leak whenever the last rwi in the list gets processed. In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Free rwi on reset success Free the rwi structur... • https://git.kernel.org/stable/c/4f408e1fa6e10b6da72691233369172bac7d9e9b •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49905 – net/smc: Fix possible leaked pernet namespace in smc_init()
https://notcve.org/view.php?id=CVE-2022-49905
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net/smc: Fix possible leaked pernet namespace in smc_init() In smc_init(), register_pernet_subsys(&smc_net_stat_ops) is called without any error handling. If it fails, registering of &smc_net_ops won't be reverted. And if smc_nl_init() fails, &smc_net_stat_ops itself won't be reverted. This leaves wild ops in subsystem linkedlist and when another module tries to call register_pernet_operations() it triggers page fault: BUG: unable to handle... • https://git.kernel.org/stable/c/194730a9beb52d2b030ea45e12d94868d4a0e6fd •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49904 – net, neigh: Fix null-ptr-deref in neigh_table_clear()
https://notcve.org/view.php?id=CVE-2022-49904
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net, neigh: Fix null-ptr-deref in neigh_table_clear() When IPv6 module gets initialized but hits an error in the middle, kenel panic with: KASAN: null-ptr-deref in range [0x0000000000000598-0x000000000000059f] CPU: 1 PID: 361 Comm: insmod Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) RIP: 0010:__neigh_ifdown.isra.0+0x24b/0x370 RSP: 0018:ffff888012677908 EFLAGS: 00000202 ... Call Trace: