CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50426 – remoteproc: imx_dsp_rproc: Add mutex protection for workqueue
https://notcve.org/view.php?id=CVE-2022-50426
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: remoteproc: imx_dsp_rproc: Add mutex protection for workqueue The workqueue may execute late even after remoteproc is stopped or stopping, some resources (rpmsg device and endpoint) have been released in rproc_stop_subdevices(), then rproc_vq_interrupt() accessing these resources will cause kennel dump. Call trace: virtqueue_add_split+0x1ac/0x560 virtqueue_add_inbuf+0x4c/0x60 rpmsg_recv_done+0x15c/0x294 vring_interrupt+0x6c/0xa4 rproc_vq_in... • https://git.kernel.org/stable/c/ec0e5549f3586d2cb99a05edd006d722ebad912c • CWE-820: Missing Synchronization •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-50425 – x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly
https://notcve.org/view.php?id=CVE-2022-50425
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Fix copy_xstate_to_uabi() to copy init states correctly When an extended state component is not present in fpstate, but in init state, the function copies from init_fpstate via copy_feature(). But, dynamic states are not present in init_fpstate because of all-zeros init states. Then retrieving them from init_fpstate will explode like this: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... RIP: 0010:memcpy_erms+0x6... • https://git.kernel.org/stable/c/2308ee57d93d896618dd65c996429c9d3e469fe0 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-50424 – wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability()
https://notcve.org/view.php?id=CVE-2022-50424
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability() Fixed coverity issue with resource leaks at variable "fw" going out of scope leaks the storage it points to mt7921_check_offload_capability(). Addresses-Coverity-ID: 1527806 ("Resource leaks") In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: resource leaks at mt7921_check_offload_capability() Fixed coverity issue with resource leak... • https://git.kernel.org/stable/c/034ae28b56f13dc1f2beb3fa294b455f57ede9cb •
CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 0CVE-2022-50423 – ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
https://notcve.org/view.php?id=CVE-2022-50423
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() There is an use-after-free reported by KASAN: BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82 Read of size 1 at addr ffff888112afc460 by task modprobe/2111 CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50422 – scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
https://notcve.org/view.php?id=CVE-2022-50422
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: libsas: Fix use-after-free bug in smp_execute_task_sg() When executing SMP task failed, the smp_execute_task_sg() calls del_timer() to delete "slow_task->timer". However, if the timer handler sas_task_internal_timedout() is running, the del_timer() in smp_execute_task_sg() will not stop it and a UAF will happen. The process is shown below: (thread 1) | (thread 2) smp_execute_task_sg() | sas_task_internal_timedout() ... | del_timer() |... • https://git.kernel.org/stable/c/2908d778ab3e244900c310974e1fc1c69066e450 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50421 – rpmsg: char: Avoid double destroy of default endpoint
https://notcve.org/view.php?id=CVE-2022-50421
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: rpmsg: char: Avoid double destroy of default endpoint The rpmsg_dev_remove() in rpmsg_core is the place for releasing this default endpoint. So need to avoid destroying the default endpoint in rpmsg_chrdev_eptdev_destroy(), this should be the same as rpmsg_eptdev_release(). Otherwise there will be double destroy issue that ept->refcount report warning: refcount_t: underflow; use-after-free. Call trace: refcount_warn_saturate+0xf8/0x150 virt... • https://git.kernel.org/stable/c/bea9b79c2d10fecf7bfa26e212ecefe61d232e39 • CWE-1341: Multiple Releases of Same Resource or Handle •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50420 – crypto: hisilicon/hpre - fix resource leak in remove process
https://notcve.org/view.php?id=CVE-2022-50420
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/hpre - fix resource leak in remove process In hpre_remove(), when the disable operation of qm sriov failed, the following logic should continue to be executed to release the remaining resources that have been allocated, instead of returning directly, otherwise there will be resource leakage. In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/hpre - fix resource leak in remove process In h... • https://git.kernel.org/stable/c/c8b4b477079d1995cc0a1c10d5cdfd02be938cdf •
CVSS: 6.4EPSS: 0%CPEs: 3EXPL: 0CVE-2025-39927 – ceph: fix race condition validating r_parent before applying state
https://notcve.org/view.php?id=CVE-2025-39927
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: ceph: fix race condition validating r_parent before applying state Add validation to ensure the cached parent directory inode matches the directory info in MDS replies. This prevents client-side race conditions where concurrent operations (e.g. rename) cause r_parent to become stale between request initiation and reply processing, which could lead to applying state changes to incorrect directory inodes. [ idryomov: folded a kerneldoc fixup ... • https://git.kernel.org/stable/c/9030aaf9bf0a1eee47a154c316c789e959638b0f • CWE-364: Signal Handler Race Condition •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2025-39925 – can: j1939: implement NETDEV_UNREGISTER notification handler
https://notcve.org/view.php?id=CVE-2025-39925
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: can: j1939: implement NETDEV_UNREGISTER notification handler syzbot is reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 problem, for j1939 protocol did not have NETDEV_UNREGISTER notification handler for undoing changes made by j1939_sk_bind(). Commit 25fe97cb7620 ("can: j1939: move j1939_priv_put() into sk_destruct callback") expects that a call to j1939_priv_put() can be unconditionally delayed until j1939... • https://git.kernel.org/stable/c/9d71dd0c70099914fcd063135da3c580865e924c •
CVSS: 6.6EPSS: 0%CPEs: 11EXPL: 0CVE-2025-39923 – dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees
https://notcve.org/view.php?id=CVE-2025-39923
01 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: bam_dma: Fix DT error handling for num-channels/ees When we don't have a clock specified in the device tree, we have no way to ensure the BAM is on. This is often the case for remotely-controlled or remotely-powered BAM instances. In this case, we need to read num-channels from the DT to have all the necessary information to complete probing. However, at the moment invalid device trees without clock and without num-channels... • https://git.kernel.org/stable/c/48d163b1aa6e7f650c0b7a4f9c61c387a6def868 •