CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49236 – bpf: Fix UAF due to race between btf_try_get_module and load_module
https://notcve.org/view.php?id=CVE-2022-49236
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Fix UAF due to race between btf_try_get_module and load_module While working on code to populate kfunc BTF ID sets for module BTF from its initcall, I noticed that by the time the initcall is invoked, the module BTF can already be seen by userspace (and the BPF verifier). The existing btf_try_get_module calls try_module_get which only fails if mod->state == MODULE_STATE_GOING, i.e. it can increment module reference when module initcall... • https://git.kernel.org/stable/c/541c3bad8dc51b253ba8686d0cd7628e6b9b5f4c • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-49235 – ath9k_htc: fix uninit value bugs
https://notcve.org/view.php?id=CVE-2022-49235
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ath9k_htc: fix uninit value bugs Syzbot reported 2 KMSAN bugs in ath9k. All of them are caused by missing field initialization. In htc_connect_service() svc_meta_len and pad are not initialized. Based on code it looks like in current skb there is no service data, so simply initialize svc_meta_len to 0. htc_issue_send() does not initialize htc_frame_hdr::control array. Based on firmware code, it will initialize it by itself, so simply zero w... • https://git.kernel.org/stable/c/fb9987d0f748c983bb795a86f47522313f701a08 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49234 – net: dsa: Avoid cross-chip syncing of VLAN filtering
https://notcve.org/view.php?id=CVE-2022-49234
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: Avoid cross-chip syncing of VLAN filtering Changes to VLAN filtering are not applicable to cross-chip notifications. On a system like this: .-----. .-----. .-----. | sw1 +---+ sw2 +---+ sw3 | '-1-2-' '-1-2-' '-1-2-' Before this change, upon sw1p1 leaving a bridge, a call to dsa_port_vlan_filtering would also be made to sw2p1 and sw3p1. In this scenario: .---------. .-----. .-----. | sw1 +---+ sw2 +---+ sw3 | '-1-2-3-4-' '-1-2-' '-... • https://git.kernel.org/stable/c/d371b7c92d190448f3ccbf082c90bf929285f648 •
CVSS: -EPSS: 0%CPEs: 7EXPL: 0CVE-2022-49232 – drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes()
https://notcve.org/view.php?id=CVE-2022-49232
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix a NULL pointer dereference in amdgpu_dm_connector_add_common_modes() In amdgpu_dm_connector_add_common_modes(), amdgpu_dm_create_common_mode() is assigned to mode and is passed to drm_mode_probed_add() directly after that. drm_mode_probed_add() passes &mode->head to list_add_tail(), and there is a dereference of it in list_add_tail() without recoveries, which could lead to NULL pointer dereference on failure of amdgpu_d... • https://git.kernel.org/stable/c/e7b07ceef2a650e5ed8ca37997689e086c680daf •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49229 – ptp: unregister virtual clocks when unregistering physical clock.
https://notcve.org/view.php?id=CVE-2022-49229
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ptp: unregister virtual clocks when unregistering physical clock. When unregistering a physical clock which has some virtual clocks, unregister the virtual clocks with it. This fixes the following oops, which can be triggered by unloading a driver providing a PTP clock when it has enabled virtual clocks: BUG: unable to handle page fault for address: ffffffffc04fc4d8 Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:ptp_vclock_read+0x31/0xb0 Call ... • https://git.kernel.org/stable/c/73f37068d540eba5f93ba3a0019bf479d35ebd76 •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49227 – igc: avoid kernel warning when changing RX ring parameters
https://notcve.org/view.php?id=CVE-2022-49227
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: igc: avoid kernel warning when changing RX ring parameters Calling ethtool changing the RX ring parameters like this: $ ethtool -G eth0 rx 1024 on igc triggers kernel warnings like this: [ 225.198467] ------------[ cut here ]------------ [ 225.198473] Missing unregister, handled but fix driver [ 225.198485] WARNING: CPU: 7 PID: 959 at net/core/xdp.c:168 xdp_rxq_info_reg+0x79/0xd0 [...] [ 225.198601] Call Trace: [ 225.198604]
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49226 – net: asix: add proper error handling of usb read errors
https://notcve.org/view.php?id=CVE-2022-49226
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: asix: add proper error handling of usb read errors Syzbot once again hit uninit value in asix driver. The problem still the same -- asix_read_cmd() reads less bytes, than was requested by caller. Since all read requests are performed via asix_read_cmd() let's catch usb related error there and add __must_check notation to be sure all callers actually check return value. So, this patch adds sanity check inside asix_read_cmd(), that simpl... • https://git.kernel.org/stable/c/d9fe64e511144c1ee7d7555b4111f09dde9692ef •
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-49224 – power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init
https://notcve.org/view.php?id=CVE-2022-49224
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init kobject_init_and_add() takes reference even when it fails. According to the doc of kobject_init_and_add(): If this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Fix memory leak by calling kobject_put(). • https://git.kernel.org/stable/c/8c0984e5a75337df513047ec92a6c09d78e3e5cd •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49223 – cxl/port: Hold port reference until decoder release
https://notcve.org/view.php?id=CVE-2022-49223
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: cxl/port: Hold port reference until decoder release KASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in cxl_decoder_release() where it goes to reference its parent, a cxl_port, to free its id back to port->decoder_ida. BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core] Read of size 8 at addr ffff888119270908 by task kworker/35:2/379 CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198 Hardware name:... • https://git.kernel.org/stable/c/40ba17afdfabb01688c61565dbe02a916241bc05 • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49222 – drm/bridge: anx7625: Fix overflow issue on reading EDID
https://notcve.org/view.php?id=CVE-2022-49222
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/bridge: anx7625: Fix overflow issue on reading EDID The length of EDID block can be longer than 256 bytes, so we should use `int` instead of `u8` for the `edid_pos` variable. • https://git.kernel.org/stable/c/8bdfc5dae4e3ba4d99dfb430ef43249e5f1b7730 •