CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50678 – wifi: brcmfmac: fix invalid address access when enabling SCAN log level
https://notcve.org/view.php?id=CVE-2022-50678
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix invalid address access when enabling SCAN log level The variable i is changed when setting random MAC address and causes invalid address access when printing the value of pi->reqs[i]->reqid. We replace reqs index with ri to fix the issue. [ 136.726473] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 [ 136.737365] Mem abort info: [ 136.740172] ESR = 0x96000004 [ 1... • https://git.kernel.org/stable/c/efc2c1fa8e145b60a7805fa9b6c92ac0746fccc3 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-50677 – ipmi: fix use after free in _ipmi_destroy_user()
https://notcve.org/view.php?id=CVE-2022-50677
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ipmi: fix use after free in _ipmi_destroy_user() The intf_free() function frees the "intf" pointer so we cannot dereference it again on the next line. In the Linux kernel, the following vulnerability has been resolved: ipmi: fix use after free in _ipmi_destroy_user() The intf_free() function frees the "intf" pointer so we cannot dereference it again on the next line. • https://git.kernel.org/stable/c/f9d405a4bd6090ffbf3bba5e2da6b44c0e013cb3 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50676 – net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
https://notcve.org/view.php?id=CVE-2022-50676
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks() syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for commit ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in rds_tcp_reset_callbacks()") added cancel_delayed_work_sync() into a section protected by lock_sock() without realizing that rds_send_xmit() might call lock_sock(). We don't need to protect cancel_delayed_work_sync() using lo... • https://git.kernel.org/stable/c/ac3615e7f3cffe2a1a6b25172dfd09e138593d82 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50675 – arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored
https://notcve.org/view.php?id=CVE-2022-50675
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE is untagged"), mte_sync_tags() was only called for pte_tagged() entries (those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use test_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently setting PG_mte_tagged on an untagged page. The above commit was required as guests may ... • https://git.kernel.org/stable/c/69e3b846d8a753f9f279f29531ca56b0f7563ad0 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2022-50673 – ext4: fix use-after-free in ext4_orphan_cleanup
https://notcve.org/view.php?id=CVE-2022-50673
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix use-after-free in ext4_orphan_cleanup I caught a issue as follows: ================================================================== BUG: KASAN: use-after-free in __list_add_valid+0x28/0x1a0 Read of size 8 at addr ffff88814b13f378 by task mount/710 CPU: 1 PID: 710 Comm: mount Not tainted 6.1.0-rc3-next #370 Call Trace:
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50672 – mailbox: zynq-ipi: fix error handling while device_register() fails
https://notcve.org/view.php?id=CVE-2022-50672
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mailbox: zynq-ipi: fix error handling while device_register() fails If device_register() fails, it has two issues: 1. The name allocated by dev_set_name() is leaked. 2. The parent of device is not NULL, device_unregister() is called in zynqmp_ipi_free_mboxes(), it will lead a kernel crash because of removing not added device. Call put_device() to give up the reference, so the name is freed in kobject_cleanup(). Add device registered check i... • https://git.kernel.org/stable/c/4981b82ba2ff87df6a711fcd7a233c615df5fc79 •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50671 – RDMA/rxe: Fix "kernel NULL pointer dereference" error
https://notcve.org/view.php?id=CVE-2022-50671
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix "kernel NULL pointer dereference" error When rxe_queue_init in the function rxe_qp_init_req fails, both qp->req.task.func and qp->req.task.arg are not initialized. Because of creation of qp fails, the function rxe_create_qp will call rxe_qp_do_cleanup to handle allocated resource. Before calling __rxe_do_task, both qp->req.task.func and qp->req.task.arg should be checked. In the Linux kernel, the following vulnerability has be... • https://git.kernel.org/stable/c/8700e3e7c4857d28ebaa824509934556da0b3e76 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50670 – mmc: omap_hsmmc: fix return value check of mmc_add_host()
https://notcve.org/view.php?id=CVE-2022-50670
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mmc: omap_hsmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path wihch wi... • https://git.kernel.org/stable/c/a45c6cb816474cefe56059fce422a9bdcd77e0dc •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50669 – misc: ocxl: fix possible name leak in ocxl_file_register_afu()
https://notcve.org/view.php?id=CVE-2022-50669
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: ocxl: fix possible name leak in ocxl_file_register_afu() If device_register() returns error in ocxl_file_register_afu(), the name allocated by dev_set_name() need be freed. As comment of device_register() says, it should use put_device() to give up the reference in the error path. So fix this by calling put_device(), then the name can be freed in kobject_cleanup(), and info is freed in info_release(). In the Linux kernel, the followin... • https://git.kernel.org/stable/c/75ca758adbafc81804c39b2c200ecdc819a6c042 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2022-50668 – ext4: fix deadlock due to mbcache entry corruption
https://notcve.org/view.php?id=CVE-2022-50668
09 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: fix deadlock due to mbcache entry corruption When manipulating xattr blocks, we can deadlock infinitely looping inside ext4_xattr_block_set() where we constantly keep finding xattr block for reuse in mbcache but we are unable to reuse it because its reference count is too big. This happens because cache entry for the xattr block is marked as reusable (e_reusable set) although its reference count is too big. When this inconsistency hap... • https://git.kernel.org/stable/c/6048c64b26097a0ffbd966866b599f990e674e9b •