CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49950 – misc: fastrpc: fix memory corruption on open
https://notcve.org/view.php?id=CVE-2022-49950
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix memory corruption on open The probe session-duplication overflow check incremented the session count also when there were no more available sessions so that memory beyond the fixed-size slab-allocated session array could be corrupted in fastrpc_session_alloc() on open(). In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix memory corruption on open The probe session-duplication overflow c... • https://git.kernel.org/stable/c/f6f9279f2bf0e37e2f1fb119d8832b8568536a04 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49948 – vt: Clear selection before changing the font
https://notcve.org/view.php?id=CVE-2022-49948
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: vt: Clear selection before changing the font When changing the console font with ioctl(KDFONTOP) the new font size can be bigger than the previous font. A previous selection may thus now be outside of the new screen size and thus trigger out-of-bounds accesses to graphics memory if the selection is removed in vc_do_resize(). Prevent such out-of-memory accesses by dropping the selection before the various con_font_set() console handlers are ... • https://git.kernel.org/stable/c/c555cf04684fde39b5b0dd9fd80730030ee10c4a •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49947 – binder: fix alloc->vma_vm_mm null-ptr dereference
https://notcve.org/view.php?id=CVE-2022-49947
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix alloc->vma_vm_mm null-ptr dereference Syzbot reported a couple issues introduced by commit 44e602b4e52f ("binder_alloc: add missing mmap_lock calls when using the VMA"), in which we attempt to acquire the mmap_lock when alloc->vma_vm_mm has not been initialized yet. This can happen if a binder_proc receives a transaction without having previously called mmap() to setup the binder_proc->alloc space in [1]. Also, a similar issue o... • https://git.kernel.org/stable/c/577d9c05cc48c5242bcf719c06a5baf3105473ad •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49946 – clk: bcm: rpi: Prevent out-of-bounds access
https://notcve.org/view.php?id=CVE-2022-49946
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Prevent out-of-bounds access The while loop in raspberrypi_discover_clocks() relies on the assumption that the id of the last clock element is zero. Because this data comes from the Videocore firmware and it doesn't guarantuee such a behavior this could lead to out-of-bounds access. So fix this by providing a sentinel element. In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Prevent out-of-bo... • https://git.kernel.org/stable/c/93d2725affd65686792f4b57e49ef660f3c8c0f9 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49945 – hwmon: (gpio-fan) Fix array out of bounds access
https://notcve.org/view.php?id=CVE-2022-49945
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (gpio-fan) Fix array out of bounds access The driver does not check if the cooling state passed to gpio_fan_set_cur_state() exceeds the maximum cooling state as stored in fan_data->num_speeds. Since the cooling state is later used as an array index in set_fan_speed(), an array out of bounds access can occur. This can be exploited by setting the state of the thermal cooling device to arbitrary values, causing for example a kernel oops... • https://git.kernel.org/stable/c/b5cf88e46badea6d600d8515edea23814e03444d •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49942 – wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected
https://notcve.org/view.php?id=CVE-2022-49942
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected When we are not connected to a channel, sending channel "switch" announcement doesn't make any sense. The BSS list is empty in that case. This causes the for loop in cfg80211_get_bss() to be bypassed, so the function returns NULL (check line 1424 of net/wireless/scan.c), causing the WARN_ON() in ieee80211_ibss_csa_beacon() to get triggered (check line 500 of net/mac802... • https://git.kernel.org/stable/c/cd7760e62c2ac8581f050b2d36501d1a60beaf83 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49940 – tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf()
https://notcve.org/view.php?id=CVE-2022-49940
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf() A null pointer dereference can happen when attempting to access the "gsm->receive()" function in gsmld_receive_buf(). Currently, the code assumes that gsm->recieve is only called after MUX activation. Since the gsmld_receive_buf() function can be accessed without the need to initialize the MUX, the gsm->receive() function will not be set and a NULL pointer dereference will o... • https://git.kernel.org/stable/c/dfa9b6d34aac2154b5e926d7a7a061123bf137c6 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2022-49939 – binder: fix UAF of ref->proc caused by race condition
https://notcve.org/view.php?id=CVE-2022-49939
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of ref->proc caused by race condition A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binder_deferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed referen... • https://git.kernel.org/stable/c/229f47603dd306bc0eb1a831439adb8e48bb0eae •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49938 – cifs: fix small mempool leak in SMB2_negotiate()
https://notcve.org/view.php?id=CVE-2022-49938
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: fix small mempool leak in SMB2_negotiate() In some cases of failure (dialect mismatches) in SMB2_negotiate(), after the request is sent, the checks would return -EIO when they should be rather setting rc = -EIO and jumping to neg_exit to free the response buffer from mempool. In the Linux kernel, the following vulnerability has been resolved: cifs: fix small mempool leak in SMB2_negotiate() In some cases of failure (dialect mismatches... • https://git.kernel.org/stable/c/9e3c9efa7caf16e5acc05eab5e4d0a714e1610b0 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49937 – media: mceusb: Use new usb_control_msg_*() routines
https://notcve.org/view.php?id=CVE-2022-49937
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: media: mceusb: Use new usb_control_msg_*() routines Automatic kernel fuzzing led to a WARN about invalid pipe direction in the mceusb driver: ------------[ cut here ]------------ usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40 WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410 usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-0020... • https://git.kernel.org/stable/c/587f793c64d99d92be8ef01c4c69d885a3f2edb6 •