CVSS: 7.0EPSS: %CPEs: 8EXPL: 0CVE-2022-49775 – tcp: cdg: allow tcp_cdg_release() to be called multiple times
https://notcve.org/view.php?id=CVE-2022-49775
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: tcp: cdg: allow tcp_cdg_release() to be called multiple times Apparently, mptcp is able to call tcp_disconnect() on an already disconnected flow. This is generally fine, unless current congestion control is CDG, because it might trigger a double-free [1] Instead of fixing MPTCP, and future bugs, we can make tcp_disconnect() more resilient. [1] BUG: KASAN: double-free in slab_free mm/slub.c:3539 [inline] BUG: KASAN: double-free in kfree+0xe2... • https://git.kernel.org/stable/c/2b0a8c9eee81882fc0001ccf6d9af62cdc682f9e •
CVSS: 7.1EPSS: %CPEs: 2EXPL: 0CVE-2022-49773 – drm/amd/display: Fix optc2_configure warning on dcn314
https://notcve.org/view.php?id=CVE-2022-49773
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix optc2_configure warning on dcn314 [Why] dcn314 uses optc2_configure_crc() that wraps optc1_configure_crc() + set additional registers not applicable to dcn314. It's not critical but when used leads to warning like: WARNING: drivers/gpu/drm/amd/amdgpu/../display/dc/dc_helper.c Call Trace:
CVSS: 5.5EPSS: %CPEs: 8EXPL: 0CVE-2022-49772 – ALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open()
https://notcve.org/view.php?id=CVE-2022-49772
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Drop snd_BUG_ON() from snd_usbmidi_output_open() snd_usbmidi_output_open() has a check of the NULL port with snd_BUG_ON(). snd_BUG_ON() was used as this shouldn't have happened, but in reality, the NULL port may be seen when the device gives an invalid endpoint setup at the descriptor, hence the driver skips the allocation. That is, the check itself is valid and snd_BUG_ON() should be dropped from there. Otherwise it's conf... • https://git.kernel.org/stable/c/872c9314769e89d8bda74ff3ac584756a45ee752 •
CVSS: 7.1EPSS: %CPEs: 8EXPL: 0CVE-2022-49771 – dm ioctl: fix misbehavior if list_versions races with module loading
https://notcve.org/view.php?id=CVE-2022-49771
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: dm ioctl: fix misbehavior if list_versions races with module loading __list_versions will first estimate the required space using the "dm_target_iterate(list_version_get_needed, &needed)" call and then will fill the space using the "dm_target_iterate(list_version_get_info, &iter_info)" call. Each of these calls locks the targets using the "down_read(&_lock)" and "up_read(&_lock)" calls, however between the first and second "dm_target_iterat... • https://git.kernel.org/stable/c/0c8d4112df329bf3dfbf27693f918c3b08676538 •
CVSS: 7.1EPSS: %CPEs: 6EXPL: 0CVE-2022-49770 – ceph: avoid putting the realm twice when decoding snaps fails
https://notcve.org/view.php?id=CVE-2022-49770
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ceph: avoid putting the realm twice when decoding snaps fails When decoding the snaps fails it maybe leaving the 'first_realm' and 'realm' pointing to the same snaprealm memory. And then it'll put it twice and could cause random use-after-free, BUG_ON, etc issues. In the Linux kernel, the following vulnerability has been resolved: ceph: avoid putting the realm twice when decoding snaps fails When decoding the snaps fails it maybe leaving th... • https://git.kernel.org/stable/c/274e4c79a3a2a24fba7cfe0e41113f1138785c37 •
CVSS: 5.5EPSS: %CPEs: 8EXPL: 0CVE-2022-49769 – gfs2: Check sb_bsize_shift after reading superblock
https://notcve.org/view.php?id=CVE-2022-49769
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: gfs2: Check sb_bsize_shift after reading superblock Fuzzers like to scribble over sb_bsize_shift but in reality it's very unlikely that this field would be corrupted on its own. Nevertheless it should be checked to avoid the possibility of messy mount errors due to bad calculations. It's always a fixed value based on the block size so we can just check that it's the expected value. Tested with: mkfs.gfs2 -O -p lock_nolock /dev/vdb for i in ... • https://git.kernel.org/stable/c/d6b1e8ea6f3418c3b461ad5a35cdc93c996b2c87 •
CVSS: 5.5EPSS: %CPEs: 8EXPL: 0CVE-2022-49768 – 9p: trans_fd/p9_conn_cancel: drop client lock earlier
https://notcve.org/view.php?id=CVE-2022-49768
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: 9p: trans_fd/p9_conn_cancel: drop client lock earlier syzbot reported a double-lock here and we no longer need this lock after requests have been moved off to local list: just drop the lock earlier. In the Linux kernel, the following vulnerability has been resolved: 9p: trans_fd/p9_conn_cancel: drop client lock earlier syzbot reported a double-lock here and we no longer need this lock after requests have been moved off to local list: just d... • https://git.kernel.org/stable/c/82825dbf393f7c7979d462f9609a15bde8092b3f •
CVSS: 2.5EPSS: %CPEs: 8EXPL: 0CVE-2022-49767 – 9p/trans_fd: always use O_NONBLOCK read/write
https://notcve.org/view.php?id=CVE-2022-49767
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: always use O_NONBLOCK read/write syzbot is reporting hung task at p9_fd_close() [1], for p9_mux_poll_stop() from p9_conn_destroy() from p9_fd_close() is failing to interrupt already started kernel_read() from p9_fd_read() from p9_read_work() and/or kernel_write() from p9_fd_write() from p9_write_work() requests. Since p9_socket_open() sets O_NONBLOCK flag, p9_mux_poll_stop() does not need to interrupt kernel_read()/kernel_write... • https://git.kernel.org/stable/c/0b5e6bd72b8171364616841603a70e4ba9837063 •
CVSS: 8.5EPSS: %CPEs: 2EXPL: 0CVE-2022-49766 – netlink: Bounds-check struct nlmsgerr creation
https://notcve.org/view.php?id=CVE-2022-49766
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: netlink: Bounds-check struct nlmsgerr creation In preparation for FORTIFY_SOURCE doing bounds-check on memcpy(), switch from __nlmsg_put to nlmsg_put(), and explain the bounds check for dealing with the memcpy() across a composite flexible array struct. Avoids this future run-time warning: memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" at net/netlink/af_netlink.c:2447 (size 16) In the Linux kernel, the follow... • https://git.kernel.org/stable/c/aff4eb16f589c3af322a2582044bca365381fcd6 •
CVSS: 7.1EPSS: %CPEs: 3EXPL: 0CVE-2022-49765 – net/9p: use a dedicated spinlock for trans_fd
https://notcve.org/view.php?id=CVE-2022-49765
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net/9p: use a dedicated spinlock for trans_fd Shamelessly copying the explanation from Tetsuo Handa's suggested patch[1] (slightly reworded): syzbot is reporting inconsistent lock state in p9_req_put()[2], for p9_tag_remove() from p9_req_put() from IRQ context is using spin_lock_irqsave() on "struct p9_client"->lock but trans_fd (not from IRQ context) is using spin_lock(). Since the locks actually protect different things in client.c and in... • https://git.kernel.org/stable/c/43bbadb7e4636dc02f6a283c2a39e6438e6173cd •