CVSS: -EPSS: %CPEs: 9EXPL: 0CVE-2022-49145 – ACPI: CPPC: Avoid out of bounds access when parsing _CPC data
https://notcve.org/view.php?id=CVE-2022-49145
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Avoid out of bounds access when parsing _CPC data If the NumEntries field in the _CPC return package is less than 2, do not attempt to access the "Revision" element of that package, because it may not be present then. BugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/ • https://git.kernel.org/stable/c/337aadff8e4567e39669e07d9a88b789d78458b5 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2022-49144 – io_uring: fix memory leak of uid in files registration
https://notcve.org/view.php?id=CVE-2022-49144
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring: fix memory leak of uid in files registration When there are no files for __io_sqe_files_scm() to process in the range, it'll free everything and return. However, it forgets to put uid. • https://git.kernel.org/stable/c/08a451739a9b5783f67de51e84cb6d9559bb9dc4 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49143 – nbd: fix possible overflow on 'first_minor' in nbd_dev_add()
https://notcve.org/view.php?id=CVE-2022-49143
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nbd: fix possible overflow on 'first_minor' in nbd_dev_add() When 'index' is a big numbers, it may become negative which forced to 'int'. then 'index << part_shift' might overflow to a positive value that is not greater than '0xfffff', then sysfs might complains about duplicate creation. Because of this, move the 'index' judgment to the front will fix it and be better. • https://git.kernel.org/stable/c/b0d9111a2d53785847763c64c40af2d4c4c5a8b7 •
CVSS: -EPSS: %CPEs: 11EXPL: 0CVE-2022-49142 – net: preserve skb_end_offset() in skb_unclone_keeptruesize()
https://notcve.org/view.php?id=CVE-2022-49142
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: preserve skb_end_offset() in skb_unclone_keeptruesize() syzbot found another way to trigger the infamous WARN_ON_ONCE(delta < len) in skb_try_coalesce() [1] I was able to root cause the issue to kfence. When kfence is in action, the following assertion is no longer true: int size = xxxx; void *ptr1 = kmalloc(size, gfp); void *ptr2 = kmalloc(size, gfp); if (ptr1 && ptr2) ASSERT(ksize(ptr1) == ksize(ptr2)); We attempted to fix these issu... • https://git.kernel.org/stable/c/097b9146c0e26aabaa6ff3e5ea536a53f5254a79 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2022-49141 – net: dsa: felix: fix possible NULL pointer dereference
https://notcve.org/view.php?id=CVE-2022-49141
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: felix: fix possible NULL pointer dereference As the possible failure of the allocation, kzalloc() may return NULL pointer. Therefore, it should be better to check the 'sgi' in order to prevent the dereference of NULL pointer. • https://git.kernel.org/stable/c/23ae3a7877718931474684ef4fbbaf1d1511ee84 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49140 – Revert "nbd: fix possible overflow on 'first_minor' in nbd_dev_add()"
https://notcve.org/view.php?id=CVE-2022-49140
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "nbd: fix possible overflow on 'first_minor' in nbd_dev_add()" This reverts commit 6d35d04a9e18990040e87d2bbf72689252669d54. Both Gabriel and Borislav report that this commit casues a regression with nbd: sysfs: cannot create duplicate filename '/dev/block/43:0' Revert it before 5.18-rc1 and we'll investigage this separately in due time. • https://git.kernel.org/stable/c/3b14aa053181709d42319d4145855025c23ddd12 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2022-49139 – Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt
https://notcve.org/view.php?id=CVE-2022-49139
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt This event is just specified for SCO and eSCO link types. On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR of an existing LE connection, LE link type and a status that triggers the second case of the packet processing a NULL pointer dereference happens, as conn->link is NULL. • https://git.kernel.org/stable/c/1c1291a84e94f6501644634c97544bb8291e9a1a •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2022-49138 – Bluetooth: hci_event: Ignore multiple conn complete events
https://notcve.org/view.php?id=CVE-2022-49138
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Ignore multiple conn complete events When one of the three connection complete events is received multiple times for the same handle, the device is registered multiple times which leads to memory corruptions. Therefore, consequent events for a single connection are ignored. The conn->state can hold different values, therefore HCI_CONN_HANDLE_UNSET is introduced to identify new connections. To make sure the events do no... • https://git.kernel.org/stable/c/aa1ca580e3ffe62a2c5ea1c095b609b2943c5269 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2022-49137 – drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj
https://notcve.org/view.php?id=CVE-2022-49137
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/amdgpu/amdgpu_cs: fix refcount leak of a dma_fence obj This issue takes place in an error path in amdgpu_cs_fence_to_handle_ioctl(). When `info->in.what` falls into default case, the function simply returns -EINVAL, forgetting to decrement the reference count of a dma_fence obj, which is bumped earlier by amdgpu_cs_get_fence(). This may result in reference count leaks. Fix it by decreasing the refcount of specific object before retu... • https://git.kernel.org/stable/c/72d77ddb2224ebc00648f4f78f8a9a259dccbdf7 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2022-49136 – Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set
https://notcve.org/view.php?id=CVE-2022-49136
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sync: Fix queuing commands when HCI_UNREGISTER is set hci_cmd_sync_queue shall return an error if HCI_UNREGISTER flag has been set as that means hci_unregister_dev has been called so it will likely cause a uaf after the timeout as the hdev will be freed. • https://git.kernel.org/stable/c/1c69ef84a808676cceb69210addf5df45b741323 •