CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2022-49292 – ALSA: oss: Fix PCM OSS buffer allocation overflow
https://notcve.org/view.php?id=CVE-2022-49292
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: oss: Fix PCM OSS buffer allocation overflow We've got syzbot reports hitting INT_MAX overflow at vmalloc() allocation that is called from snd_pcm_plug_alloc(). Although we apply the restrictions to input parameters, it's based only on the hw_params of the underlying PCM device. Since the PCM OSS layer allocates a temporary buffer for the data conversion, the size may become unexpectedly large when more channels or higher rates is give... • https://git.kernel.org/stable/c/a63af1baf0a5e11827db60e3127f87e437cab6e5 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2022-49291 – ALSA: pcm: Fix races among concurrent hw_params and hw_free calls
https://notcve.org/view.php?id=CVE-2022-49291
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix races among concurrent hw_params and hw_free calls Currently we have neither proper check nor protection against the concurrent calls of PCM hw_params and hw_free ioctls, which may result in a UAF. Since the existing PCM stream lock can't be used for protecting the whole ioctl operations, we need a new mutex to protect those racy calls. This patch introduced a new mutex, runtime->buffer_mutex, and applies it to both hw_params... • https://git.kernel.org/stable/c/a42aa926843acca96c0dfbde2e835b8137f2f092 •
CVSS: -EPSS: %CPEs: 11EXPL: 0CVE-2022-49290 – mac80211: fix potential double free on mesh join
https://notcve.org/view.php?id=CVE-2022-49290
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: mac80211: fix potential double free on mesh join While commit 6a01afcf8468 ("mac80211: mesh: Free ie data when leaving mesh") fixed a memory leak on mesh leave / teardown it introduced a potential memory corruption caused by a double free when rejoining the mesh: ieee80211_leave_mesh() -> kfree(sdata->u.mesh.ie); ... ieee80211_join_mesh() -> copy_mesh_setup() -> old_ie = ifmsh->ie; -> kfree(old_ie); This double free / kernel panics can be r... • https://git.kernel.org/stable/c/3212d6248faf0efce6b7a718e198feecce0eea05 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49289 – uaccess: fix integer overflow on access_ok()
https://notcve.org/view.php?id=CVE-2022-49289
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: uaccess: fix integer overflow on access_ok() Three architectures check the end of a user access against the address limit without taking a possible overflow into account. Passing a negative length or another overflow in here returns success when it should not. Use the most common correct implementation here, which optimizes for a constant 'size' argument, and turns the common case into a single comparison. • https://git.kernel.org/stable/c/7567746e1c0d66ac0ef8a9d8816ca694462c7370 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2022-49288 – ALSA: pcm: Fix races among concurrent prealloc proc writes
https://notcve.org/view.php?id=CVE-2022-49288
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: pcm: Fix races among concurrent prealloc proc writes We have no protection against concurrent PCM buffer preallocation changes via proc files, and it may potentially lead to UAF or some weird problem. This patch applies the PCM open_mutex to the proc write operation for avoiding the racy proc writes and the PCM stream open (and further operations). • https://git.kernel.org/stable/c/e7786c445bb67a9a6e64f66ebd6b7215b153ff7d •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2022-49287 – tpm: fix reference counting for struct tpm_chip
https://notcve.org/view.php?id=CVE-2022-49287
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: tpm: fix reference counting for struct tpm_chip The following sequence of operations results in a refcount warning: 1. Open device /dev/tpmrm. 2. Remove module tpm_tis_spi. 3. Write a TPM command to the file descriptor opened at step 1. ------------[ cut here ]------------ WARNING: CPU: 3 PID: 1161 at lib/refcount.c:25 kobject_get+0xa0/0xa4 refcount_t: addition on 0; use-after-free. Modules linked in: tpm_tis_spi tpm_tis_core tpm mdio_bcm_u... • https://git.kernel.org/stable/c/8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49286 – tpm: use try_get_ops() in tpm-space.c
https://notcve.org/view.php?id=CVE-2022-49286
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: tpm: use try_get_ops() in tpm-space.c As part of the series conversion to remove nested TPM operations: https://lore.kernel.org/all/20190205224723.19671-1-jarkko.sakkinen@linux.intel.com/ exposure of the chip->tpm_mutex was removed from much of the upper level code. In this conversion, tpm2_del_space() was missed. This didn't matter much because it's usually called closely after a converted operation, so there's only a very tiny race window... • https://git.kernel.org/stable/c/5b1d2561a03e534064b51c50c774657833d3d2cf •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2022-49285 – iio: accel: mma8452: use the correct logic to get mma8452_data
https://notcve.org/view.php?id=CVE-2022-49285
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: iio: accel: mma8452: use the correct logic to get mma8452_data The original logic to get mma8452_data is wrong, the *dev point to the device belong to iio_dev. we can't use this dev to find the correct i2c_client. The original logic happen to work because it finally use dev->driver_data to get iio_dev. Here use the API to_i2c_client() is wrong and make reader confuse. To correct the logic, it should be like this struct mma8452_data *data = ... • https://git.kernel.org/stable/c/c3cdd6e48e35b7a02f28e301ef30a87ff3cd6527 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49284 – coresight: syscfg: Fix memleak on registration failure in cscfg_create_device
https://notcve.org/view.php?id=CVE-2022-49284
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: coresight: syscfg: Fix memleak on registration failure in cscfg_create_device device_register() calls device_initialize(), according to doc of device_initialize: Use put_device() to give up your reference instead of freeing * @dev directly once you have called this function. To prevent potential memleak, use put_device() for error handling. • https://git.kernel.org/stable/c/85e2414c518a03a21dddd4bc88fec2723c5e1197 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2022-49283 – firmware: sysfb: fix platform-device leak in error path
https://notcve.org/view.php?id=CVE-2022-49283
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: firmware: sysfb: fix platform-device leak in error path Make sure to free the platform device also in the unlikely event that registration fails. • https://git.kernel.org/stable/c/8633ef82f101c040427b57d4df7b706261420b94 •