CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2024-57975 – btrfs: do proper folio cleanup when run_delalloc_nocow() failed
https://notcve.org/view.php?id=CVE-2024-57975
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: do proper folio cleanup when run_delalloc_nocow() failed [BUG] With CONFIG_DEBUG_VM set, test case generic/476 has some chance to crash with the following VM_BUG_ON_FOLIO(): BTRFS error (device dm-3): cow_file_range failed, start 1146880 end 1253375 len 106496 ret -28 BTRFS error (device dm-3): run_delalloc_nocow failed, start 1146880 end 1253375 len 106496 ret -28 page: refcount:4 mapcount:0 mapping:00000000592787cc index:0x12 pfn:0... • https://git.kernel.org/stable/c/5ae72abbf91eb172ce3a838a4dc34be3c9707296 •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2024-57974 – udp: Deal with race between UDP socket address change and rehash
https://notcve.org/view.php?id=CVE-2024-57974
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: udp: Deal with race between UDP socket address change and rehash If a UDP socket changes its local address while it's receiving datagrams, as a result of connect(), there is a period during which a lookup operation might fail to find it, after the address is changed but before the secondary hash (port and address) and the four-tuple hash (local and remote ports and addresses) are updated. Secondary hash chains were introduced by commit 30ff... • https://git.kernel.org/stable/c/30fff9231fad757c061285e347b33c5149c2c2e4 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2024-57973 – rdma/cxgb4: Prevent potential integer overflow on 32bit
https://notcve.org/view.php?id=CVE-2024-57973
27 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: rdma/cxgb4: Prevent potential integer overflow on 32bit The "gl->tot_len" variable is controlled by the user. It comes from process_responses(). On 32bit systems, the "gl->tot_len + sizeof(struct cpl_pass_accept_req) + sizeof(struct rss_header)" addition could have an integer wrapping bug. Use size_add() to prevent this. • https://git.kernel.org/stable/c/1cab775c3e75f1250c965feafd061d696df36e53 •
CVSS: 5.5EPSS: %CPEs: 8EXPL: 0CVE-2022-49731 – ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo()
https://notcve.org/view.php?id=CVE-2022-49731
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo() In an unlikely (and probably wrong?) case that the 'ppi' parameter of ata_host_alloc_pinfo() points to an array starting with a NULL pointer, there's going to be a kernel oops as the 'pi' local variable won't get reassigned from the initial value of NULL. Initialize 'pi' instead to '&ata_dummy_port_info' to fix the possible kernel oops for good... Found by Linux Verification... • https://git.kernel.org/stable/c/ca4693e6e06e4fd2b240c0fec47aa2498c94848e •
CVSS: 5.5EPSS: %CPEs: 3EXPL: 0CVE-2022-49730 – scsi: lpfc: Resolve NULL ptr dereference after an ELS LOGO is aborted
https://notcve.org/view.php?id=CVE-2022-49730
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Resolve NULL ptr dereference after an ELS LOGO is aborted A use-after-free crash can occur after an ELS LOGO is aborted. Specifically, a nodelist structure is freed and then ndlp->vport->cfg_log_verbose is dereferenced in lpfc_nlp_get() when the discovery state machine is mistakenly called a second time with NLP_EVT_DEVICE_RM argument. Rework lpfc_cmpl_els_logo() to prevent the duplicate calls to release a nodelist structure. In... • https://git.kernel.org/stable/c/5e83869e29448958f8ae2c6911f350318f75e4fc •
CVSS: 5.5EPSS: %CPEs: 8EXPL: 0CVE-2022-49729 – nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred
https://notcve.org/view.php?id=CVE-2022-49729
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred Similar to the handling of play_deferred in commit 19cfe912c37b ("Bluetooth: btusb: Fix memory leak in play_deferred"), we thought a patch might be needed here as well. Currently usb_submit_urb is called directly to submit deferred tx urbs after unanchor them. So the usb_giveback_urb_bh would failed to unref it in usb_unanchor_urb and cause memory leak. Put those urbs in tx_anchor to av... • https://git.kernel.org/stable/c/1eb0afecfb9cd0f38424b82bd9aaa542310934ee •
CVSS: 7.1EPSS: %CPEs: 2EXPL: 0CVE-2022-49728 – ipv6: Fix signed integer overflow in __ip6_append_data
https://notcve.org/view.php?id=CVE-2022-49728
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix signed integer overflow in __ip6_append_data Resurrect ubsan overflow checks and ubsan report this warning, fix it by change the variable [length] type to size_t. UBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19 2147479552 + 8567 cannot be represented in type 'int' CPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x214/0x230 show_stack+0x30/0x78 dump_st... • https://git.kernel.org/stable/c/84dc940890e91e42898e4443a093281702440abf •
CVSS: 7.8EPSS: %CPEs: 8EXPL: 0CVE-2022-49727 – ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
https://notcve.org/view.php?id=CVE-2022-49727
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be overflow. To fix, we can follow what udpv6 does and subtract the transhdrlen from the max. In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be overflow. To fix, we can follow what udpv... • https://git.kernel.org/stable/c/2cf73c7cb6125083408d77f43d0e84d86aed0000 •
CVSS: 5.5EPSS: %CPEs: 8EXPL: 0CVE-2022-49712 – usb: gadget: lpc32xx_udc: Fix refcount leak in lpc32xx_udc_probe
https://notcve.org/view.php?id=CVE-2022-49712
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: lpc32xx_udc: Fix refcount leak in lpc32xx_udc_probe of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. of_node_put() will check NULL pointer. In the Linux kernel, the following vulnerability has been resolved: usb: gadget: lpc32xx_udc: Fix refcount leak in lpc32xx_udc_probe of_parse_phandle() returns a no... • https://git.kernel.org/stable/c/24a28e4283510dcd58890379a42b8a7d3201d9d3 •
CVSS: 7.1EPSS: %CPEs: 5EXPL: 0CVE-2022-49710 – dm mirror log: round up region bitmap size to BITS_PER_LONG
https://notcve.org/view.php?id=CVE-2022-49710
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: dm mirror log: round up region bitmap size to BITS_PER_LONG The code in dm-log rounds up bitset_size to 32 bits. It then uses find_next_zero_bit_le on the allocated region. find_next_zero_bit_le accesses the bitmap using unsigned long pointers. So, on 64-bit architectures, it may access 4 bytes beyond the allocated size. Fix this bug by rounding up bitset_size to BITS_PER_LONG. This bug was found by running the lvm2 testsuite with kasan. • https://git.kernel.org/stable/c/29121bd0b00ebb9524971a583fea4a2f7afe8041 •