CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2023-53867 – ceph: fix potential use-after-free bug when trimming caps
https://notcve.org/view.php?id=CVE-2023-53867
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ceph: fix potential use-after-free bug when trimming caps When trimming the caps and just after the 'session->s_cap_lock' is released in ceph_iterate_session_caps() the cap maybe removed by another thread, and when using the stale cap memory in the callbacks it will trigger use-after-free crash. We need to check the existence of the cap just after the 'ci->i_ceph_lock' being acquired. And do nothing if it's already removed. • https://git.kernel.org/stable/c/2f2dc053404febedc9c273452d9d518fb31fde72 •
CVSS: -EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50709 – wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
https://notcve.org/view.php?id=CVE-2022-50709
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() syzbot is reporting uninit value at ath9k_htc_rx_msg() [1], for ioctl(USB_RAW_IOCTL_EP_WRITE) can call ath9k_hif_usb_rx_stream() with pkt_len = 0 but ath9k_hif_usb_rx_stream() uses __dev_alloc_skb(pkt_len + 32, GFP_ATOMIC) based on an assumption that pkt_len is valid. As a result, ath9k_hif_usb_rx_stream() allocates skb with uninitialized memory and ath9k_htc_rx_msg() is reading fr... • https://git.kernel.org/stable/c/fb9987d0f748c983bb795a86f47522313f701a08 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50708 – HSI: ssi_protocol: fix potential resource leak in ssip_pn_open()
https://notcve.org/view.php?id=CVE-2022-50708
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: fix potential resource leak in ssip_pn_open() ssip_pn_open() claims the HSI client's port with hsi_claim_port(). When hsi_register_port_event() gets some error and returns a negetive value, the HSI client's port should be released with hsi_release_port(). Fix it by calling hsi_release_port() when hsi_register_port_event() fails. • https://git.kernel.org/stable/c/dc7bf5d7186849aa36b9f0e42e250a813a7b0bdb •
CVSS: -EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50706 – net/ieee802154: don't warn zero-sized raw_sendmsg()
https://notcve.org/view.php?id=CVE-2022-50706
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net/ieee802154: don't warn zero-sized raw_sendmsg() syzbot is hitting skb_assert_len() warning at __dev_queue_xmit() [1], for PF_IEEE802154 socket's zero-sized raw_sendmsg() request is hitting __dev_queue_xmit() with skb->len == 0. Since PF_IEEE802154 socket's zero-sized raw_sendmsg() request was able to return 0, don't call __dev_queue_xmit() if packet length is 0. ---------- #include
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50704 – USB: gadget: Fix use-after-free during usb config switch
https://notcve.org/view.php?id=CVE-2022-50704
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix use-after-free during usb config switch In the process of switching USB config from rndis to other config, if the hardware does not support the ->pullup callback, or the hardware encounters a low probability fault, both of them may cause the ->pullup callback to fail, which will then cause a system panic (use after free). The gadget drivers sometimes need to be unloaded regardless of the hardware's behavior. Analysis as fol... • https://git.kernel.org/stable/c/0a55187a1ec8c03d0619e7ce41d10fdc39cff036 •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50703 – soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
https://notcve.org/view.php?id=CVE-2022-50703
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() There are two refcount leak bugs in qcom_smsm_probe(): (1) The 'local_node' is escaped out from for_each_child_of_node() as the break of iteration, we should call of_node_put() for it in error path or when it is not used anymore. (2) The 'node' is escaped out from for_each_available_child_of_node() as the 'goto', we should call of_node_put() for it in goto target. The SUSE Linux E... • https://git.kernel.org/stable/c/c97c4090ff72297a878a37715bd301624b71c885 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50700 – wifi: ath10k: Delay the unmapping of the buffer
https://notcve.org/view.php?id=CVE-2022-50700
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: ath10k: Delay the unmapping of the buffer On WCN3990, we are seeing a rare scenario where copy engine hardware is sending a copy complete interrupt to the host driver while still processing the buffer that the driver has sent, this is leading into an SMMU fault triggering kernel panic. This is happening on copy engine channel 3 (CE3) where the driver normally enqueues WMI commands to the firmware. Upon receiving a copy complete interr... • https://git.kernel.org/stable/c/d390509bdf501c9c8c6e61248e4bc9314c86d854 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50699 – selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context()
https://notcve.org/view.php?id=CVE-2022-50699
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: selinux: enable use of both GFP_KERNEL and GFP_ATOMIC in convert_context() The following warning was triggered on a hardware environment: SELinux: Converting 162 SID table entries... BUG: sleeping function called from invalid context at __might_sleep+0x60/0x74 0x0 in_atomic(): 1, irqs_disabled(): 128, non_block: 0, pid: 5943, name: tar CPU: 7 PID: 5943 Comm: tar Tainted: P O 5.10.0 #1 Call trace: dump_backtrace+0x0/0x1c8 show_stack+0x18/0x2... • https://git.kernel.org/stable/c/ee1a84fdfeedfd7362e9a8a8f15fedc3482ade2d •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50697 – mrp: introduce active flags to prevent UAF when applicant uninit
https://notcve.org/view.php?id=CVE-2022-50697
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mrp: introduce active flags to prevent UAF when applicant uninit The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-... • https://git.kernel.org/stable/c/febf018d22347b5df94066bca05d0c11a84e839d •
CVSS: 3.3EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68733 – smack: fix bug: unprivileged task can create labels
https://notcve.org/view.php?id=CVE-2025-68733
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: smack: fix bug: unprivileged task can create labels If an unprivileged task is allowed to relabel itself (/smack/relabel-self is not empty), it can freely create new labels by writing their names into own /proc/PID/attr/smack/current This occurs because do_setattr() imports the provided label in advance, before checking "relabel-self" list. This change ensures that the "relabel-self" list is checked before importing the label. In the Linux ... • https://git.kernel.org/stable/c/38416e53936ecf896948fdeffc36b76979117952 •