CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2022-49084 – qede: confirm skb is allocated before using
https://notcve.org/view.php?id=CVE-2022-49084
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: qede: confirm skb is allocated before using qede_build_skb() assumes build_skb() always works and goes straight to skb_reserve(). However, build_skb() can fail under memory pressure. This results in a kernel panic because the skb to reserve is NULL. Add a check in case build_skb() failed to allocate and return NULL. The NULL return is handled correctly in callers to qede_build_skb(). • https://git.kernel.org/stable/c/8a8633978b842c88fbcfe00d4e5dde96048f630e •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2022-49083 – iommu/omap: Fix regression in probe for NULL pointer dereference
https://notcve.org/view.php?id=CVE-2022-49083
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: iommu/omap: Fix regression in probe for NULL pointer dereference Commit 3f6634d997db ("iommu: Use right way to retrieve iommu_ops") started triggering a NULL pointer dereference for some omap variants: __iommu_probe_device from probe_iommu_group+0x2c/0x38 probe_iommu_group from bus_for_each_dev+0x74/0xbc bus_for_each_dev from bus_iommu_probe+0x34/0x2e8 bus_iommu_probe from bus_set_iommu+0x80/0xc8 bus_set_iommu from omap_iommu_init+0x88/0xcc... • https://git.kernel.org/stable/c/6785eb9105e3363aa51408c700a55e8b5f88fcf6 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49082 – scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove()
https://notcve.org/view.php?id=CVE-2022-49082
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Fix use after free in _scsih_expander_node_remove() The function mpt3sas_transport_port_remove() called in _scsih_expander_node_remove() frees the port field of the sas_expander structure, leading to the following use-after-free splat from KASAN when the ioc_info() call following that function is executed (e.g. when doing rmmod of the driver module): [ 3479.371167] =============================================================... • https://git.kernel.org/stable/c/7d310f241001e090cf1ec0f3ae836b38d8c6ebec •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49081 – highmem: fix checks in __kmap_local_sched_{in,out}
https://notcve.org/view.php?id=CVE-2022-49081
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: highmem: fix checks in __kmap_local_sched_{in,out} When CONFIG_DEBUG_KMAP_LOCAL is enabled __kmap_local_sched_{in,out} check that even slots in the tsk->kmap_ctrl.pteval are unmapped. The slots are initialized with 0 value, but the check is done with pte_none. 0 pte however does not necessarily mean that pte_none will return true. e.g. on xtensa it returns false, resulting in the following runtime warnings: WARNING: CPU: 0 PID: 101 at mm/hi... • https://git.kernel.org/stable/c/5fbda3ecd14a5343644979c98d6eb65b7e7de9d8 •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2022-49080 – mm/mempolicy: fix mpol_new leak in shared_policy_replace
https://notcve.org/view.php?id=CVE-2022-49080
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: mm/mempolicy: fix mpol_new leak in shared_policy_replace If mpol_new is allocated but not used in restart loop, mpol_new will be freed via mpol_put before returning to the caller. But refcnt is not initialized yet, so mpol_put could not do the right things and might leak the unused mpol_new. This would happen if mempolicy was updated on the shared shmem file while the sp->lock has been dropped during the memory allocation. This issue could ... • https://git.kernel.org/stable/c/42288fe366c4f1ce7522bc9f27d0bc2a81c55264 •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49078 – lz4: fix LZ4_decompress_safe_partial read out of bound
https://notcve.org/view.php?id=CVE-2022-49078
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: lz4: fix LZ4_decompress_safe_partial read out of bound When partialDecoding, it is EOF if we've either filled the output buffer or can't proceed with reading an offset for following match. In some extreme corner cases when compressed data is suitably corrupted, UAF will occur. As reported by KASAN [1], LZ4_decompress_safe_partial may lead to read out of bound problem during decoding. lz4 upstream has fixed it [2] and this issue has been dis... • https://git.kernel.org/stable/c/73953dfa9d50e5c9fe98ee13fd1d3427aa12a0a3 •
CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2022-49077 – mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0)
https://notcve.org/view.php?id=CVE-2022-49077
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0) If an mremap() syscall with old_size=0 ends up in move_page_tables(), it will call invalidate_range_start()/invalidate_range_end() unnecessarily, i.e. with an empty range. This causes a WARN in KVM's mmu_notifier. In the past, empty ranges have been diagnosed to be off-by-one bugs, hence the WARNing. Given the low (so far) number of unique reports, the benefits of ... • https://git.kernel.org/stable/c/a05540f3903bd8295e8c4cd90dd3d416239a115b •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49076 – RDMA/hfi1: Fix use-after-free bug for mm struct
https://notcve.org/view.php?id=CVE-2022-49076
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/hfi1: Fix use-after-free bug for mm struct Under certain conditions, such as MPI_Abort, the hfi1 cleanup code may represent the last reference held on the task mm. hfi1_mmu_rb_unregister() then drops the last reference and the mm is freed before the final use in hfi1_release_user_pages(). A new task may allocate the mm structure while it is still being used, resulting in problems. One manifestation is corruption of the mmap_sem counter... • https://git.kernel.org/stable/c/3d2a9d642512c21a12d19b9250e7a835dcb41a79 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2022-49075 – btrfs: fix qgroup reserve overflow the qgroup limit
https://notcve.org/view.php?id=CVE-2022-49075
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: fix qgroup reserve overflow the qgroup limit We use extent_changeset->bytes_changed in qgroup_reserve_data() to record how many bytes we set for EXTENT_QGROUP_RESERVED state. Currently the bytes_changed is set as "unsigned int", and it will overflow if we try to fallocate a range larger than 4GiB. The result is we reserve less bytes and eventually break the qgroup limit. Unlike regular buffered/direct write, which we use one changese... • https://git.kernel.org/stable/c/0355387ea5b02d353c9415613fab908fac5c52a6 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2022-49074 – irqchip/gic-v3: Fix GICR_CTLR.RWP polling
https://notcve.org/view.php?id=CVE-2022-49074
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Fix GICR_CTLR.RWP polling It turns out that our polling of RWP is totally wrong when checking for it in the redistributors, as we test the *distributor* bit index, whereas it is a different bit number in the RDs... Oopsie boo. This is embarassing. Not only because it is wrong, but also because it took *8 years* to notice the blunder... Just fix the damn thing. • https://git.kernel.org/stable/c/021f653791ad17e03f98aaa7fb933816ae16f161 •