CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48987 – media: v4l2-dv-timings.c: fix too strict blanking sanity checks
https://notcve.org/view.php?id=CVE-2022-48987
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: media: v4l2-dv-timings.c: fix too strict blanking sanity checks Sanity checks were added to verify the v4l2_bt_timings blanking fields in order to avoid integer overflows when userspace passes weird values. But that assumed that userspace would correctly fill in the front porch, backporch and sync values, but sometimes all you know is the total blanking, which is then assigned to just one of these fields. And that can fail with these checks... • https://git.kernel.org/stable/c/15ded23db134da975b49ea99770de0346c193b24 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48986 – mm/gup: fix gup_pud_range() for dax
https://notcve.org/view.php?id=CVE-2022-48986
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: mm/gup: fix gup_pud_range() for dax For dax pud, pud_huge() returns true on x86. So the function works as long as hugetlb is configured. However, dax doesn't depend on hugetlb. Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as well. This fixes the below kernel panic: general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1]... • https://git.kernel.org/stable/c/414fd080d125408cb15d04ff4907e1dd8145c8c7 •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48985 – net: mana: Fix race on per-CQ variable napi work_done
https://notcve.org/view.php?id=CVE-2022-48985
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix race on per-CQ variable napi work_done After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be cleared, and another CPU can start napi thread and access per-CQ variable, cq->work_done. If the other thread (for example, from busy_poll) sets it to a value >= budget, this thread will continue to run when it should stop, and cause memory corruption and panic. To fix this issue, save the per-CQ work_done variable in a... • https://git.kernel.org/stable/c/e1b5683ff62e7b328317aec08869495992053e9d •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48983 – io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
https://notcve.org/view.php?id=CVE-2022-48983
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb() Syzkaller reports a NULL deref bug as follows: BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3 Read of size 4 at addr 0000000000000138 by task file1/1955 CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Call Trace:
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48982 – Bluetooth: Fix crash when replugging CSR fake controllers
https://notcve.org/view.php?id=CVE-2022-48982
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix crash when replugging CSR fake controllers It seems fake CSR 5.0 clones can cause the suspend notifier to be registered twice causing the following kernel panic: [ 71.986122] Call Trace: [ 71.986124]
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48981 – drm/shmem-helper: Remove errant put in error path
https://notcve.org/view.php?id=CVE-2022-48981
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Remove errant put in error path drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free. In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Remove errant put in error path drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free. • https://git.kernel.org/stable/c/2194a63a818db71065ebe09c8104f5f021ca4e7b •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48980 – net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()
https://notcve.org/view.php?id=CVE-2022-48980
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() The SJA1105 family has 45 L2 policing table entries (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110 (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but accounting for the difference in port count (5 in SJA1105 vs 10 in SJA1110) does not fully explain the difference. Rather, the SJA1110 also has L2 ingress policers for multicast traffic. If a packet ... • https://git.kernel.org/stable/c/38fbe91f2287c696f290d9115901aa435f7166a8 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48979 – drm/amd/display: fix array index out of bound error in DCN32 DML
https://notcve.org/view.php?id=CVE-2022-48979
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix array index out of bound error in DCN32 DML [Why&How] LinkCapacitySupport array is indexed with the number of voltage states and not the number of max DPPs. Fix the error by changing the array declaration to use the correct (larger) array size of total number of voltage states. In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix array index out of bound error in DCN32 DML [Why&How] L... • https://git.kernel.org/stable/c/3d8a298b2e83b98042e6ec726e934f535b23e6aa •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48978 – HID: core: fix shift-out-of-bounds in hid_report_raw_event
https://notcve.org/view.php?id=CVE-2022-48978
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: HID: core: fix shift-out-of-bounds in hid_report_raw_event Syzbot reported shift-out-of-bounds in hid_report_raw_event. microsoft 0003:045E:07DA.0001: hid_field_extract() called with n (128) > 32! (swapper/0) ====================================================================== UBSAN: shift-out-of-bounds in drivers/hid/hid-core.c:1323:20 shift exponent 127 is too large for 32-bit type 'int' CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.1.0-r... • https://git.kernel.org/stable/c/dde5845a529ff753364a6d1aea61180946270bfa •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-48977 – can: af_can: fix NULL pointer dereference in can_rcv_filter
https://notcve.org/view.php?id=CVE-2022-48977
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: can: af_can: fix NULL pointer dereference in can_rcv_filter Analogue to commit 8aa59e355949 ("can: af_can: fix NULL pointer dereference in can_rx_register()") we need to check for a missing initialization of ml_priv in the receive path of CAN frames. Since commit 4e096a18867a ("net: introduce CAN specific pointer in the struct net_device") the check for dev->type to be ARPHRD_CAN is not sufficient anymore since bonding or tun netdevices cla... • https://git.kernel.org/stable/c/4ac1feff6ea6495cbfd336f4438a6c6d140544a6 •