CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-50568 – usb: gadget: f_hid: fix f_hidg lifetime vs cdev
https://notcve.org/view.php?id=CVE-2022-50568
22 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_hid: fix f_hidg lifetime vs cdev The embedded struct cdev does not have its lifetime correctly tied to the enclosing struct f_hidg, so there is a use-after-free if /dev/hidgN is held open while the gadget is deleted. This can readily be replicated with libusbgx's example programs (for conciseness - operating directly via configfs is equivalent): gadget-hid exec 3<> /dev/hidg0 gadget-vid-pid-remove exec 3<&- Pull the existing ... • https://git.kernel.org/stable/c/71adf118946957839a13aa4d1094183e05c6c094 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50567 – fs: jfs: fix shift-out-of-bounds in dbAllocAG
https://notcve.org/view.php?id=CVE-2022-50567
22 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: jfs: fix shift-out-of-bounds in dbAllocAG Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The underlying bug is the missing check of bmp->db_agl2size. The field can be greater than 64 and trigger the shift-out-of-bounds. Fix this bug by adding a check of bmp->db_agl2size in dbMount since this field is used in many following functions. The upper bound for this field is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kl... • https://git.kernel.org/stable/c/d3b486946a4e62c7ef6023f7d9c1d049051384ba •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50566 – mtd: Fix device name leak when register device failed in add_mtd_device()
https://notcve.org/view.php?id=CVE-2022-50566
22 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: mtd: Fix device name leak when register device failed in add_mtd_device() There is a kmemleak when register device failed: unreferenced object 0xffff888101aab550 (size 8): comm "insmod", pid 3922, jiffies 4295277753 (age 925.408s) hex dump (first 8 bytes): 6d 74 64 30 00 88 ff ff mtd0.... backtrace: [<00000000bde26724>] __kmalloc_node_track_caller+0x4e/0x150 [<000000003c32b416>] kvasprintf+0xb0/0x130 [<000000001f7a8f15>] kobject_set_name_va... • https://git.kernel.org/stable/c/1f24b5a8ecbb2a3c7080f418974d40e3ffedb221 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50564 – s390/netiucv: Fix return type of netiucv_tx()
https://notcve.org/view.php?id=CVE-2022-50564
22 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: s390/netiucv: Fix return type of netiucv_tx() With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), indirect call targets are validated against the expected function pointer prototype to make sure the call target is valid to help mitigate ROP attacks. If they are not identical, there is a failure at run time, which manifests as either a kernel panic or thread getting killed. A proposed warning in clang aims to catch these at ... • https://git.kernel.org/stable/c/f13d870fce90f01cf930bfaffecc8185ae0be21c •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50560 – drm/meson: explicitly remove aggregate driver at module unload time
https://notcve.org/view.php?id=CVE-2022-50560
22 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/meson: explicitly remove aggregate driver at module unload time Because component_master_del wasn't being called when unloading the meson_drm module, the aggregate device would linger forever in the global aggregate_devices list. That means when unloading and reloading the meson_dw_hdmi module, component_add would call into try_to_bring_up_aggregate_device and find the unbound meson_drm aggregate device. This would in turn dereference s... • https://git.kernel.org/stable/c/8a427a22839daacd36531a62c83d5c9cd6f20657 •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-40005 – spi: cadence-quadspi: Implement refcount to handle unbind during busy
https://notcve.org/view.php?id=CVE-2025-40005
20 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: spi: cadence-quadspi: Implement refcount to handle unbind during busy driver support indirect read and indirect write operation with assumption no force device removal(unbind) operation. However force device removal(removal) is still available to root superuser. Unbinding driver during operation causes kernel crash. This changes ensure driver able to handle such operation for indirect read and indirect write by implementing refcount to trac... • https://git.kernel.org/stable/c/b7ec8a2b094a33d0464958c2cbf75b8f229098b0 •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40001 – scsi: mvsas: Fix use-after-free bugs in mvs_work_queue
https://notcve.org/view.php?id=CVE-2025-40001
18 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: mvsas: Fix use-after-free bugs in mvs_work_queue During the detaching of Marvell's SAS/SATA controller, the original code calls cancel_delayed_work() in mvs_free() to cancel the delayed work item mwq->work_q. However, if mwq->work_q is already running, the cancel_delayed_work() may fail to cancel it. This can lead to use-after-free scenarios where mvs_free() frees the mvs_info while mvs_work_queue() is still executing and attempts to ... • https://git.kernel.org/stable/c/20b09c2992fefbe78f8cede7b404fb143a413c52 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39998 – scsi: target: target_core_configfs: Add length check to avoid buffer overflow
https://notcve.org/view.php?id=CVE-2025-39998
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: target_core_configfs: Add length check to avoid buffer overflow A buffer overflow arises from the usage of snprintf to write into the buffer "buf" in target_lu_gp_members_show function located in /drivers/target/target_core_configfs.c. This buffer is allocated with size LU_GROUP_NAME_BUF (256 bytes). snprintf(...) formats multiple strings into buf with the HBA name (hba->hba_group.cg_item), a slash character, a devicename (dev... • https://git.kernel.org/stable/c/e6eeee5dc0d9221ff96d1b229b1d0222c8871b84 •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39996 – media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove
https://notcve.org/view.php?id=CVE-2025-39996
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: b2c2: Fix use-after-free causing by irq_check_work in flexcop_pci_remove The original code uses cancel_delayed_work() in flexcop_pci_remove(), which does not guarantee that the delayed work item irq_check_work has fully completed if it was already running. This leads to use-after-free scenarios where flexcop_pci_remove() may free the flexcop_device while irq_check_work is still active and attempts to dereference the device. A typical... • https://git.kernel.org/stable/c/382c5546d618f24dc7d6ae7ca33412083720efbf •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2025-39993 – media: rc: fix races with imon_disconnect()
https://notcve.org/view.php?id=CVE-2025-39993
15 Oct 2025 — In the Linux kernel, the following vulnerability has been resolved: media: rc: fix races with imon_disconnect() Syzbot reports a KASAN issue as below: BUG: KASAN: use-after-free in __create_pipe include/linux/usb.h:1945 [inline] BUG: KASAN: use-after-free in send_packet+0xa2d/0xbc0 drivers/media/rc/imon.c:627 Read of size 4 at addr ffff8880256fb000 by task syz-executor314/4465 CPU: 2 PID: 4465 Comm: syz-executor314 Not tainted 6.0.0-rc1-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1... • https://git.kernel.org/stable/c/21677cfc562a27e099719d413287bc8d1d24deb7 •