CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49078 – lz4: fix LZ4_decompress_safe_partial read out of bound
https://notcve.org/view.php?id=CVE-2022-49078
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: lz4: fix LZ4_decompress_safe_partial read out of bound When partialDecoding, it is EOF if we've either filled the output buffer or can't proceed with reading an offset for following match. In some extreme corner cases when compressed data is suitably corrupted, UAF will occur. As reported by KASAN [1], LZ4_decompress_safe_partial may lead to read out of bound problem during decoding. lz4 upstream has fixed it [2] and this issue has been dis... • https://git.kernel.org/stable/c/73953dfa9d50e5c9fe98ee13fd1d3427aa12a0a3 •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2022-49077 – mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0)
https://notcve.org/view.php?id=CVE-2022-49077
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0) If an mremap() syscall with old_size=0 ends up in move_page_tables(), it will call invalidate_range_start()/invalidate_range_end() unnecessarily, i.e. with an empty range. This causes a WARN in KVM's mmu_notifier. In the past, empty ranges have been diagnosed to be off-by-one bugs, hence the WARNing. Given the low (so far) number of unique reports, the benefits of ... • https://git.kernel.org/stable/c/a05540f3903bd8295e8c4cd90dd3d416239a115b •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49076 – RDMA/hfi1: Fix use-after-free bug for mm struct
https://notcve.org/view.php?id=CVE-2022-49076
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/hfi1: Fix use-after-free bug for mm struct Under certain conditions, such as MPI_Abort, the hfi1 cleanup code may represent the last reference held on the task mm. hfi1_mmu_rb_unregister() then drops the last reference and the mm is freed before the final use in hfi1_release_user_pages(). A new task may allocate the mm structure while it is still being used, resulting in problems. One manifestation is corruption of the mmap_sem counter... • https://git.kernel.org/stable/c/3d2a9d642512c21a12d19b9250e7a835dcb41a79 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2022-49075 – btrfs: fix qgroup reserve overflow the qgroup limit
https://notcve.org/view.php?id=CVE-2022-49075
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix qgroup reserve overflow the qgroup limit We use extent_changeset->bytes_changed in qgroup_reserve_data() to record how many bytes we set for EXTENT_QGROUP_RESERVED state. Currently the bytes_changed is set as "unsigned int", and it will overflow if we try to fallocate a range larger than 4GiB. The result is we reserve less bytes and eventually break the qgroup limit. Unlike regular buffered/direct write, which we use one changese... • https://git.kernel.org/stable/c/0355387ea5b02d353c9415613fab908fac5c52a6 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2022-49074 – irqchip/gic-v3: Fix GICR_CTLR.RWP polling
https://notcve.org/view.php?id=CVE-2022-49074
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Fix GICR_CTLR.RWP polling It turns out that our polling of RWP is totally wrong when checking for it in the redistributors, as we test the *distributor* bit index, whereas it is a different bit number in the RDs... Oopsie boo. This is embarassing. Not only because it is wrong, but also because it took *8 years* to notice the blunder... Just fix the damn thing. • https://git.kernel.org/stable/c/021f653791ad17e03f98aaa7fb933816ae16f161 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2022-49073 – ata: sata_dwc_460ex: Fix crash due to OOB write
https://notcve.org/view.php?id=CVE-2022-49073
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ata: sata_dwc_460ex: Fix crash due to OOB write the driver uses libata's "tag" values from in various arrays. Since the mentioned patch bumped the ATA_TAG_INTERNAL to 32, the value of the SATA_DWC_QCMD_MAX needs to account for that. Otherwise ATA_TAG_INTERNAL usage cause similar crashes like this as reported by Tice Rex on the OpenWrt Forum and reproduced (with symbols) here: | BUG: Kernel NULL pointer dereference at 0x00000000 | Faulting i... • https://git.kernel.org/stable/c/28361c403683c2b00d4f5e76045f3ccd299bf99d •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2022-49072 – gpio: Restrict usage of GPIO chip irq members before initialization
https://notcve.org/view.php?id=CVE-2022-49072
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: gpio: Restrict usage of GPIO chip irq members before initialization GPIO chip irq members are exposed before they could be completely initialized and this leads to race conditions. One such issue was observed for the gc->irq.domain variable which was accessed through the I2C interface in gpiochip_to_irq() before it could be initialized by gpiochip_add_irqchip(). This resulted in Kernel NULL pointer dereference. Following are the logs for re... • https://git.kernel.org/stable/c/7e88a50704b0c49ad3f2d11e8b963341cf68a89f •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2022-49069 – drm/amd/display: Fix by adding FPU protection for dcn30_internal_validate_bw
https://notcve.org/view.php?id=CVE-2022-49069
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix by adding FPU protection for dcn30_internal_validate_bw [Why] Below general protection fault observed when WebGL Aquarium is run for longer duration. If drm debug logs are enabled and set to 0x1f then the issue is observed within 10 minutes of run. [ 100.717056] general protection fault, probably for non-canonical address 0x2d33302d32323032: 0000 [#1] PREEMPT SMP NOPTI [ 100.727921] CPU: 3 PID: 1906 Comm: DrmThread Tain... • https://git.kernel.org/stable/c/e995c5d52ec7415644eee617fc7e906b51aec7ae •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49067 – powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit
https://notcve.org/view.php?id=CVE-2022-49067
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit mpe: On 64-bit Book3E vmalloc space starts at 0x8000000000000000. Because of the way __pa() works we have: __pa(0x8000000000000000) == 0, and therefore virt_to_pfn(0x8000000000000000) == 0, and therefore virt_addr_valid(0x8000000000000000) == true Which is wrong, virt_addr_valid() should be false for vmalloc space. In fact all vmalloc addresses that alias with a valid PFN will return... • https://git.kernel.org/stable/c/deab81144d5a043f42804207fb76cfbd8a806978 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2022-49066 – veth: Ensure eth header is in skb's linear part
https://notcve.org/view.php?id=CVE-2022-49066
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: veth: Ensure eth header is in skb's linear part After feeding a decapsulated packet to a veth device with act_mirred, skb_headlen() may be 0. But veth_xmit() calls __dev_forward_skb(), which expects at least ETH_HLEN byte of linear data (as __dev_forward_skb2() calls eth_type_trans(), which pulls ETH_HLEN bytes unconditionally). Use pskb_may_pull() to ensure veth_xmit() respects this constraint. kernel BUG at include/linux/skbuff.h:2328! RI... • https://git.kernel.org/stable/c/e314dbdc1c0dc6a548ecf0afce28ecfd538ff568 •