CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48988 – memcg: fix possible use-after-free in memcg_write_event_control()
https://notcve.org/view.php?id=CVE-2022-48988
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: memcg: fix possible use-after-free in memcg_write_event_control() memcg_write_event_control() accesses the dentry->d_name of the specified control fd to route the write call. As a cgroup interface file can't be renamed, it's safe to access d_name as long as the specified file is a regular cgroup file. Also, as these cgroup interface files can't be removed before the directory, it's safe to access the parent too. Prior to 347c4a874710 ("memc... • https://git.kernel.org/stable/c/347c4a8747104a945ecced358944e42879176ca5 • CWE-416: Use After Free •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-48987 – media: v4l2-dv-timings.c: fix too strict blanking sanity checks
https://notcve.org/view.php?id=CVE-2022-48987
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: media: v4l2-dv-timings.c: fix too strict blanking sanity checks Sanity checks were added to verify the v4l2_bt_timings blanking fields in order to avoid integer overflows when userspace passes weird values. But that assumed that userspace would correctly fill in the front porch, backporch and sync values, but sometimes all you know is the total blanking, which is then assigned to just one of these fields. And that can fail with these checks... • https://git.kernel.org/stable/c/15ded23db134da975b49ea99770de0346c193b24 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-48986 – mm/gup: fix gup_pud_range() for dax
https://notcve.org/view.php?id=CVE-2022-48986
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: mm/gup: fix gup_pud_range() for dax For dax pud, pud_huge() returns true on x86. So the function works as long as hugetlb is configured. However, dax doesn't depend on hugetlb. Commit 414fd080d125 ("mm/gup: fix gup_pmd_range() for dax") fixed devmap-backed huge PMDs, but missed devmap-backed huge PUDs. Fix this as well. This fixes the below kernel panic: general protection fault, probably for non-canonical address 0x69e7c000cc478: 0000 [#1]... • https://git.kernel.org/stable/c/414fd080d125408cb15d04ff4907e1dd8145c8c7 •
CVSS: 4.7EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48985 – net: mana: Fix race on per-CQ variable napi work_done
https://notcve.org/view.php?id=CVE-2022-48985
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix race on per-CQ variable napi work_done After calling napi_complete_done(), the NAPIF_STATE_SCHED bit may be cleared, and another CPU can start napi thread and access per-CQ variable, cq->work_done. If the other thread (for example, from busy_poll) sets it to a value >= budget, this thread will continue to run when it should stop, and cause memory corruption and panic. To fix this issue, save the per-CQ work_done variable in a... • https://git.kernel.org/stable/c/e1b5683ff62e7b328317aec08869495992053e9d •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48984 – can: slcan: fix freed work crash
https://notcve.org/view.php?id=CVE-2022-48984
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: can: slcan: fix freed work crash The LTP test pty03 is causing a crash in slcan: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 PID: 348 Comm: kworker/0:3 Not tainted 6.0.8-1-default #1 openSUSE Tumbleweed 9d20364b934f5aab0a9bdf84e8f45cfdfae39dab Hardware name: QEMU Standard PC (i440FX +... • https://git.kernel.org/stable/c/cfcb4465e9923bb9ac168abcea84e880633f9cef •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48983 – io_uring: Fix a null-ptr-deref in io_tctx_exit_cb()
https://notcve.org/view.php?id=CVE-2022-48983
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: io_uring: Fix a null-ptr-deref in io_tctx_exit_cb() Syzkaller reports a NULL deref bug as follows: BUG: KASAN: null-ptr-deref in io_tctx_exit_cb+0x53/0xd3 Read of size 4 at addr 0000000000000138 by task file1/1955 CPU: 1 PID: 1955 Comm: file1 Not tainted 6.1.0-rc7-00103-gef4d3ea40565 #75 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014 Call Trace:
CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0CVE-2022-48982 – Bluetooth: Fix crash when replugging CSR fake controllers
https://notcve.org/view.php?id=CVE-2022-48982
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Fix crash when replugging CSR fake controllers It seems fake CSR 5.0 clones can cause the suspend notifier to be registered twice causing the following kernel panic: [ 71.986122] Call Trace: [ 71.986124]
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-48981 – drm/shmem-helper: Remove errant put in error path
https://notcve.org/view.php?id=CVE-2022-48981
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Remove errant put in error path drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free. In the Linux kernel, the following vulnerability has been resolved: drm/shmem-helper: Remove errant put in error path drm_gem_shmem_mmap() doesn't own this reference, resulting in the GEM object getting prematurely freed leading to a later use-after-free. • https://git.kernel.org/stable/c/2194a63a818db71065ebe09c8104f5f021ca4e7b •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-48980 – net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing()
https://notcve.org/view.php?id=CVE-2022-48980
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: avoid out of bounds access in sja1105_init_l2_policing() The SJA1105 family has 45 L2 policing table entries (SJA1105_MAX_L2_POLICING_COUNT) and SJA1110 has 110 (SJA1110_MAX_L2_POLICING_COUNT). Keeping the table structure but accounting for the difference in port count (5 in SJA1105 vs 10 in SJA1110) does not fully explain the difference. Rather, the SJA1110 also has L2 ingress policers for multicast traffic. If a packet ... • https://git.kernel.org/stable/c/38fbe91f2287c696f290d9115901aa435f7166a8 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-48979 – drm/amd/display: fix array index out of bound error in DCN32 DML
https://notcve.org/view.php?id=CVE-2022-48979
21 Oct 2024 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix array index out of bound error in DCN32 DML [Why&How] LinkCapacitySupport array is indexed with the number of voltage states and not the number of max DPPs. Fix the error by changing the array declaration to use the correct (larger) array size of total number of voltage states. In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: fix array index out of bound error in DCN32 DML [Why&How] L... • https://git.kernel.org/stable/c/3d8a298b2e83b98042e6ec726e934f535b23e6aa •