CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-53147 – xfrm: add NULL check in xfrm_update_ae_params
https://notcve.org/view.php?id=CVE-2023-53147
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: xfrm: add NULL check in xfrm_update_ae_params Normally, x->replay_esn and x->preplay_esn should be allocated at xfrm_alloc_replay_state_esn(...) in xfrm_state_construct(...), hence the xfrm_update_ae_params(...) is okay to update them. However, the current implementation of xfrm_new_ae(...) allows a malicious user to directly dereference a NULL pointer and crash the kernel like below. BUG: kernel NULL pointer dereference, address: 000000000... • https://git.kernel.org/stable/c/d8647b79c3b7e223ac051439d165bc8e7bbb832f • CWE-476: NULL Pointer Dereference •
CVSS: 8.8EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50261 – drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
https://notcve.org/view.php?id=CVE-2022-50261
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang... • https://git.kernel.org/stable/c/b2c92b2a3801b09b709cbefd9a9e4944b72400bf •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50258 – wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()
https://notcve.org/view.php?id=CVE-2022-50258
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() This patch fixes a stack-out-of-bounds read in brcmfmac that occurs when 'buf' that is not null-terminated is passed as an argument of strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware version string by memcpy() in brcmf_fil_iovar_data_get(). The patch ensures buf is null-terminated. Found by a modified version of syzkaller. [ 47.569679][ T... • https://git.kernel.org/stable/c/89243a7b0ea19606ba1c2873c9d569026ccb344f • CWE-125: Out-of-bounds Read •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50253 – bpf: make sure skb->len != 0 when redirecting to a tunneling device
https://notcve.org/view.php?id=CVE-2022-50253
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: make sure skb->len != 0 when redirecting to a tunneling device syzkaller managed to trigger another case where skb->len == 0 when we enter __dev_queue_xmit: WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline] WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295 Call Trace: dev_queue_xmit+0x17/0x20 net/core/dev.c:4406 __bpf_tx... • https://git.kernel.org/stable/c/ffbccc5fb0a67424e12f7f8da210c04c8063f797 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50252 – igb: Do not free q_vector unless new one was allocated
https://notcve.org/view.php?id=CVE-2022-50252
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: igb: Do not free q_vector unless new one was allocated Avoid potential use-after-free condition under memory pressure. If the kzalloc() fails, q_vector will be freed but left in the original adapter->q_vector[v_idx] array position. In the Linux kernel, the following vulnerability has been resolved: igb: Do not free q_vector unless new one was allocated Avoid potential use-after-free condition under memory pressure. If the kzalloc() fails, q... • https://git.kernel.org/stable/c/64ca1969599857143e91aeec4440640656100803 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50251 – mmc: vub300: fix return value check of mmc_add_host()
https://notcve.org/view.php?id=CVE-2022-50251
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mmc: vub300: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, the timer added before mmc_add_host() needs be del. And this patch fixes ... • https://git.kernel.org/stable/c/88095e7b473a3d9ec3b9c60429576e9cbd327c89 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-50250 – regulator: core: fix use_count leakage when handling boot-on
https://notcve.org/view.php?id=CVE-2022-50250
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: core: fix use_count leakage when handling boot-on I found a use_count leakage towards supply regulator of rdev with boot-on option. ┌───────────────────┐ ┌───────────────────┐ │ regulator_dev A │ │ regulator_dev B │ │ (boot-on) │ │ (boot-on) │ │ use_count=0 │◀──supply──│ use_count=1 │ │ │ │ │ └───────────────────┘ └───────────────────┘ In case of rdev(A) configured with `regulator-boot-on', the use_count of supplying regulator(B)... • https://git.kernel.org/stable/c/dc3391d49479bc2bf8a2b88dbf86fdd800882fee •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50249 – memory: of: Fix refcount leak bug in of_get_ddr_timings()
https://notcve.org/view.php?id=CVE-2022-50249
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: memory: of: Fix refcount leak bug in of_get_ddr_timings() We should add the of_node_put() when breaking out of for_each_child_of_node() as it will automatically increase and decrease the refcount. In the Linux kernel, the following vulnerability has been resolved: memory: of: Fix refcount leak bug in of_get_ddr_timings() We should add the of_node_put() when breaking out of for_each_child_of_node() as it will automatically increase and decre... • https://git.kernel.org/stable/c/e6b42eb6a66c188642aeb447312938c6f6ebee86 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50241 – NFSD: fix use-after-free on source server when doing inter-server copy
https://notcve.org/view.php?id=CVE-2022-50241
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: NFSD: fix use-after-free on source server when doing inter-server copy Use-after-free occurred when the laundromat tried to free expired cpntf_state entry on the s2s_cp_stateids list after inter-server copy completed. The sc_cp_list that the expired copy state was inserted on was already freed. When COPY completes, the Linux client normally sends LOCKU(lock_state x), FREE_STATEID(lock_state x) and CLOSE(open_state y) to the source server. T... • https://git.kernel.org/stable/c/bbacfcde5fff25ac22597e8373a065c647da6738 • CWE-416: Use After Free •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2025-39801 – usb: dwc3: Remove WARN_ON for device endpoint command timeouts
https://notcve.org/view.php?id=CVE-2025-39801
15 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for device endpoint command timeouts This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic_on_warn' is enabled and unnecessary call trace prints when 'panic_on_warn' is disabled. It is seen during fast software-controlled connect/disconnect testcases. The following is one such endpoint command timeout that we observed: 1. Connect ======= ->dwc3_thread_int... • https://git.kernel.org/stable/c/dfe40159eec6ca63b40133bfa783eee2e3ed829f •