CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49031 – iio: health: afe4403: Fix oob read in afe4403_read_raw
https://notcve.org/view.php?id=CVE-2022-49031
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: iio: health: afe4403: Fix oob read in afe4403_read_raw KASAN report out-of-bounds read as follows: BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 Read of size 4 at addr ffffffffc02ac638 by task cat/279 Call Trace: afe4403_read_raw iio_read_channel_info dev_attr_show The buggy address belongs to the variable: afe4403_channel_leds+0x18/0xffffffffffffe9e0 This issue can be reproduced by singe command: $ cat /sys/bus/spi/devic... • https://git.kernel.org/stable/c/b36e8257641a043764c62240316610c81e36376c •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49030 – libbpf: Handle size overflow for ringbuf mmap
https://notcve.org/view.php?id=CVE-2022-49030
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: libbpf: Handle size overflow for ringbuf mmap The maximum size of ringbuf is 2GB on x86-64 host, so 2 * max_entries will overflow u32 when mapping producer page and data pages. Only casting max_entries to size_t is not enough, because for 32-bits application on 64-bits kernel the size of read-only mmap region also could overflow size_t. So fixing it by casting the size of read-only mmap region into a __u64 and checking whether or not there ... • https://git.kernel.org/stable/c/bf99c936f9478a05d51e9f101f90de70bee9a89c •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49029 – hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails
https://notcve.org/view.php?id=CVE-2022-49029
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails Smatch report warning as follows: drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: '&data->list' not removed from list If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will be freed, but data->list will not be removed from driver_data.bmc_data, then list traversal may cause UAF. Fix by removeing it from driver_data.bmc_data before free(). In the Linux kerne... • https://git.kernel.org/stable/c/57c7c3a0fdea95eddcaeba31e7ca7dfc917682ab •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49028 – ixgbevf: Fix resource leak in ixgbevf_init_module()
https://notcve.org/view.php?id=CVE-2022-49028
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: ixgbevf: Fix resource leak in ixgbevf_init_module() ixgbevf_init_module() won't destroy the workqueue created by create_singlethread_workqueue() when pci_register_driver() failed. Add destroy_workqueue() in fail path to prevent the resource leak. Similar to the handling of u132_hcd_init in commit f276e002793c ("usb: u132-hcd: fix resource leak") In the Linux kernel, the following vulnerability has been resolved: ixgbevf: Fix resource leak i... • https://git.kernel.org/stable/c/40a13e2493c9882cb4d09054d81a5063cd1589a2 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49027 – iavf: Fix error handling in iavf_init_module()
https://notcve.org/view.php?id=CVE-2022-49027
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: iavf: Fix error handling in iavf_init_module() The iavf_init_module() won't destroy workqueue when pci_register_driver() failed. Call destroy_workqueue() when pci_register_driver() failed to prevent the resource leak. Similar to the handling of u132_hcd_init in commit f276e002793c ("usb: u132-hcd: fix resource leak") In the Linux kernel, the following vulnerability has been resolved: iavf: Fix error handling in iavf_init_module() The iavf_i... • https://git.kernel.org/stable/c/2803b16c10ea7eec170c485388f5f26ae30e92fe •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49026 – e100: Fix possible use after free in e100_xmit_prepare
https://notcve.org/view.php?id=CVE-2022-49026
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: e100: Fix possible use after free in e100_xmit_prepare In e100_xmit_prepare(), if we can't map the skb, then return -ENOMEM, so e100_xmit_frame() will return NETDEV_TX_BUSY and the upper layer will resend the skb. But the skb is already freed, which will cause UAF bug when the upper layer resends the skb. Remove the harmful free. In the Linux kernel, the following vulnerability has been resolved: e100: Fix possible use after free in e100_xm... • https://git.kernel.org/stable/c/5e5d49422dfb035ca9e280cd61d434095c151272 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49025 – net/mlx5e: Fix use-after-free when reverting termination table
https://notcve.org/view.php?id=CVE-2022-49025
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix use-after-free when reverting termination table When having multiple dests with termination tables and second one or afterwards fails the driver reverts usage of term tables but doesn't reset the assignment in attr->dests[num_vport_dests].termtbl which case a use-after-free when releasing the rule. Fix by resetting the assignment of termtbl to null. In the Linux kernel, the following vulnerability has been resolved: net/mlx5e... • https://git.kernel.org/stable/c/10caabdaad5ace85577a453da97d1f8d3b944427 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49023 – wifi: cfg80211: fix buffer overflow in elem comparison
https://notcve.org/view.php?id=CVE-2022-49023
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix buffer overflow in elem comparison For vendor elements, the code here assumes that 5 octets are present without checking. Since the element itself is already checked to fit, we only need to check the length. In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix buffer overflow in elem comparison For vendor elements, the code here assumes that 5 octets are present without checking. Since ... • https://git.kernel.org/stable/c/0b8fb8235be8be99a197e8d948fc0a2df8dc261a •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49022 – wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration
https://notcve.org/view.php?id=CVE-2022-49022
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac8021: fix possible oob access in ieee80211_get_rate_duration Fix possible out-of-bound access in ieee80211_get_rate_duration routine as reported by the following UBSAN report: UBSAN: array-index-out-of-bounds in net/mac80211/airtime.c:455:47 index 15 is out of range for type 'u16 [12]' CPU: 2 PID: 217 Comm: kworker/u32:10 Not tainted 6.1.0-060100rc3-generic Hardware name: Acer Aspire TC-281/Aspire TC-281, BIOS R01-A2 07/18/2017 Wor... • https://git.kernel.org/stable/c/db3e1c40cf2f973fbdd52ae0b59a9472b1c04f4a •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49021 – net: phy: fix null-ptr-deref while probe() failed
https://notcve.org/view.php?id=CVE-2022-49021
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net: phy: fix null-ptr-deref while probe() failed I got a null-ptr-deref report as following when doing fault injection test: BUG: kernel NULL pointer dereference, address: 0000000000000058 Oops: 0000 [#1] PREEMPT SMP KASAN PTI CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:klist_put+0x2d/0xd0 Call Trace: