CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49205 – bpf, sockmap: Fix double uncharge the mem of sk_msg
https://notcve.org/view.php?id=CVE-2022-49205
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix double uncharge the mem of sk_msg If tcp_bpf_sendmsg is running during a tear down operation, psock may be freed. tcp_bpf_sendmsg() tcp_bpf_send_verdict() sk_msg_return() tcp_bpf_sendmsg_redir() unlikely(!psock)) sk_msg_free() The mem of msg has been uncharged in tcp_bpf_send_verdict() by sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock is null, we can simply returning an error code, this would th... • https://git.kernel.org/stable/c/604326b41a6fb9b4a78b6179335decee0365cd8c •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49204 – bpf, sockmap: Fix more uncharged while msg has more_data
https://notcve.org/view.php?id=CVE-2022-49204
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix more uncharged while msg has more_data In tcp_bpf_send_verdict(), if msg has more data after tcp_bpf_sendmsg_redir(): tcp_bpf_send_verdict() tosend = msg->sg.size //msg->sg.size = 22220 case __SK_REDIRECT: sk_msg_return() //uncharged msg->sg.size(22220) sk->sk_forward_alloc tcp_bpf_sendmsg_redir() //after tcp_bpf_sendmsg_redir, msg->sg.size=11000 goto more_data; tosend = msg->sg.size //msg->sg.size = 11000 case __SK_REDIRE... • https://git.kernel.org/stable/c/604326b41a6fb9b4a78b6179335decee0365cd8c •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2022-49203 – drm/amd/display: Fix double free during GPU reset on DC streams
https://notcve.org/view.php?id=CVE-2022-49203
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix double free during GPU reset on DC streams [Why] The issue only occurs during the GPU reset code path. We first backup the current state prior to commiting 0 streams internally from DM to DC. This state backup contains valid link encoder assignments. DC will clear the link encoder assignments as part of current state (but not the backup, since it was a copied before the commit) and free the extra stream reference it hel... • https://git.kernel.org/stable/c/6d63fcc2a334f7bd15e4e9b1db50a19335d2af4f •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49202 – Bluetooth: hci_uart: add missing NULL check in h5_enqueue
https://notcve.org/view.php?id=CVE-2022-49202
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_uart: add missing NULL check in h5_enqueue Syzbot hit general protection fault in __pm_runtime_resume(). The problem was in missing NULL check. hu->serdev can be NULL and we should not blindly pass &serdev->dev somewhere, since it will cause GPF. • https://git.kernel.org/stable/c/d9dd833cf6d29695682ec7e7924c0d0992b906bc •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49201 – ibmvnic: fix race between xmit and reset
https://notcve.org/view.php?id=CVE-2022-49201
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ibmvnic: fix race between xmit and reset There is a race between reset and the transmit paths that can lead to ibmvnic_xmit() accessing an scrq after it has been freed in the reset path. It can result in a crash like: Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc0080000016189f8 Oops: Kernel access of bad area, sig: 11 [#1] ... N... • https://git.kernel.org/stable/c/7ed5b31f4a6695a21f617df07646e9b15c6c1d29 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49200 – Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt
https://notcve.org/view.php?id=CVE-2022-49200
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtksdio: Fix kernel oops in btmtksdio_interrupt Fix the following kernel oops in btmtksdio_interrrupt [ 14.339134] btmtksdio_interrupt+0x28/0x54 [ 14.339139] process_sdio_pending_irqs+0x68/0x1a0 [ 14.339144] sdio_irq_work+0x40/0x70 [ 14.339154] process_one_work+0x184/0x39c [ 14.339160] worker_thread+0x228/0x3e8 [ 14.339168] kthread+0x148/0x3ac [ 14.339176] ret_from_fork+0x10/0x30 That happened because hdev->power_on is already ... • https://git.kernel.org/stable/c/9aebfd4a2200ab8075e44379c758bccefdc589bb •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2022-49199 – RDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit()
https://notcve.org/view.php?id=CVE-2022-49199
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/nldev: Prevent underflow in nldev_stat_set_counter_dynamic_doit() This code checks "index" for an upper bound but it does not check for negatives. Change the type to unsigned to prevent underflows. • https://git.kernel.org/stable/c/3c3c1f1416392382faa0238e76a70d7810aab2ef •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2022-49198 – mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb
https://notcve.org/view.php?id=CVE-2022-49198
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: mptcp: Fix crash due to tcp_tsorted_anchor was initialized before release skb Got crash when doing pressure test of mptcp: =========================================================================== dst_release: dst:ffffa06ce6e5c058 refcnt:-1 kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle kernel paging request at ffffa06ce6e5c058 PGD 190a01067 P4D 190a01067 PUD 43fffb067 PMD 22e403063 PTE 8000000... • https://git.kernel.org/stable/c/f70cad1085d1e01d3ec73c1078405f906237feee •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2022-49197 – af_netlink: Fix shift out of bounds in group mask calculation
https://notcve.org/view.php?id=CVE-2022-49197
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: af_netlink: Fix shift out of bounds in group mask calculation When a netlink message is received, netlink_recvmsg() fills in the address of the sender. One of the fields is the 32-bit bitfield nl_groups, which carries the multicast group on which the message was received. The least significant bit corresponds to group 1, and therefore the highest group that the field can represent is 32. Above that, the UB sanitizer flags the out-of-bounds ... • https://git.kernel.org/stable/c/f7fa9b10edbb9391bdd4ec8e8b3d621d0664b198 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49196 – powerpc/pseries: Fix use after free in remove_phb_dynamic()
https://notcve.org/view.php?id=CVE-2022-49196
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Fix use after free in remove_phb_dynamic() In remove_phb_dynamic() we use &phb->io_resource, after we've called device_unregister(&host_bridge->dev). But the unregister may have freed phb, because pcibios_free_controller_deferred() is the release function for the host_bridge. If there are no outstanding references when we call device_unregister() then phb will be freed out from under us. This has gone mainly unnoticed, but ... • https://git.kernel.org/stable/c/2dd9c11b9d4dfbd6c070eab7b81197f65e82f1a0 •