CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2022-49059 – nfc: nci: add flush_workqueue to prevent uaf
https://notcve.org/view.php?id=CVE-2022-49059
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nfc: nci: add flush_workqueue to prevent uaf Our detector found a concurrent use-after-free bug when detaching an NCI device. The main reason for this bug is the unexpected scheduling between the used delayed mechanism (timer and workqueue). The race can be demonstrated below: Thread-1 Thread-2 | nci_dev_up() | nci_open_device() | __nci_request(nci_reset_req) | nci_send_cmd | queue_work(cmd_work) nci_unregister_device() | nci_close_device()... • https://git.kernel.org/stable/c/6a2968aaf50c7a22fced77a5e24aa636281efca8 •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2022-49058 – cifs: potential buffer overflow in handling symlinks
https://notcve.org/view.php?id=CVE-2022-49058
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: potential buffer overflow in handling symlinks Smatch printed a warning: arch/x86/crypto/poly1305_glue.c:198 poly1305_update_arch() error: __memcpy() 'dctx->buf' too small (16 vs u32max) It's caused because Smatch marks 'link_len' as untrusted since it comes from sscanf(). Add a check to ensure that 'link_len' is not larger than the size of the 'link_str' buffer. • https://git.kernel.org/stable/c/c69c1b6eaea1b3e1eecf7ad2fba0208ac4a11131 •
CVSS: -EPSS: %CPEs: 2EXPL: 0CVE-2022-49057 – block: null_blk: end timed out poll request
https://notcve.org/view.php?id=CVE-2022-49057
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: block: null_blk: end timed out poll request When poll request is timed out, it is removed from the poll list, but not completed, so the request is leaked, and never get chance to complete. Fix the issue by ending it in timeout handler. • https://git.kernel.org/stable/c/0a593fbbc245a85940ed34caa3aa1e4cb060c54b •
CVSS: -EPSS: %CPEs: 1EXPL: 0CVE-2022-49056 – io_uring: abort file assignment prior to assigning creds
https://notcve.org/view.php?id=CVE-2022-49056
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring: abort file assignment prior to assigning creds We need to either restore creds properly if we fail on the file assignment, or just do the file assignment first instead. Let's do the latter as it's simpler, should make no difference here for file assignment. • https://git.kernel.org/stable/c/2c443b22756cf75dc594d4d32bf64505bf4ce84b •
CVSS: -EPSS: %CPEs: 8EXPL: 0CVE-2022-49055 – drm/amdkfd: Check for potential null return of kmalloc_array()
https://notcve.org/view.php?id=CVE-2022-49055
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Check for potential null return of kmalloc_array() As the kmalloc_array() may return null, the 'event_waiters[i].wait' would lead to null-pointer dereference. Therefore, it is better to check the return value of kmalloc_array() to avoid this confusion. • https://git.kernel.org/stable/c/32cf90a521dcc0f136db7ee5ba32bfe5f79e460e •
CVSS: -EPSS: %CPEs: 3EXPL: 0CVE-2022-49054 – Drivers: hv: vmbus: Deactivate sysctl_record_panic_msg by default in isolated guests
https://notcve.org/view.php?id=CVE-2022-49054
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Deactivate sysctl_record_panic_msg by default in isolated guests hv_panic_page might contain guest-sensitive information, do not dump it over to Hyper-V by default in isolated guests. While at it, update some comments in hyperv_{panic,die}_event(). • https://git.kernel.org/stable/c/1b576e81d31b56b248316b8ff816b1cc5c4407c7 •
CVSS: -EPSS: %CPEs: 7EXPL: 0CVE-2022-49053 – scsi: target: tcmu: Fix possible page UAF
https://notcve.org/view.php?id=CVE-2022-49053
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: tcmu: Fix possible page UAF tcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not take refcount properly and just returns page pointer. When tcmu_try_get_data_page() returns, the returned page may have been freed by tcmu_blocks_release(). We need to get_page() under cmdr_lock to avoid concurrent tcmu_blocks_release(). • https://git.kernel.org/stable/c/d7c5d79e50be6e06b669141e3db1f977a0dd4e8e •
CVSS: -EPSS: %CPEs: 6EXPL: 0CVE-2022-49052 – mm: fix unexpected zeroed page mapping with zram swap
https://notcve.org/view.php?id=CVE-2022-49052
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: mm: fix unexpected zeroed page mapping with zram swap Two processes under CLONE_VM cloning, user process can be corrupted by seeing zeroed page unexpectedly. CPU A CPU B do_swap_page do_swap_page SWP_SYNCHRONOUS_IO path SWP_SYNCHRONOUS_IO path swap_readpage valid data swap_slot_free_notify delete zram entry swap_readpage zeroed(invalid) data pte_lock map the *zero data* to userspace pte_unlock pte_lock if (!pte_same) goto out_nomap; pte_unl... • https://git.kernel.org/stable/c/0bcac06f27d7528591c27ac2b093ccd71c5d0168 •
CVSS: -EPSS: %CPEs: 5EXPL: 0CVE-2022-49051 – net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
https://notcve.org/view.php?id=CVE-2022-49051
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: usb: aqc111: Fix out-of-bounds accesses in RX fixup aqc111_rx_fixup() contains several out-of-bounds accesses that can be triggered by a malicious (or defective) USB device, in particular: - The metadata array (desc_offset..desc_offset+2*pkt_count) can be out of bounds, causing OOB reads and (on big-endian systems) OOB endianness flips. - A packet can overlap the metadata array, causing a later OOB endianness flip to corrupt data used ... • https://git.kernel.org/stable/c/404998a137bcb8a926f7c949030afbe285472593 •
CVSS: -EPSS: %CPEs: 4EXPL: 0CVE-2022-49050 – memory: renesas-rpc-if: fix platform-device leak in error path
https://notcve.org/view.php?id=CVE-2022-49050
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: memory: renesas-rpc-if: fix platform-device leak in error path Make sure to free the flash platform device in the event that registration fails during probe. • https://git.kernel.org/stable/c/ca7d8b980b67f133317525c4273e144116ee1ae5 •