CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50368 – drm/msm/dsi: fix memory corruption with too many bridges
https://notcve.org/view.php?id=CVE-2022-50368
17 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/msm/dsi: fix memory corruption with too many bridges Add the missing sanity check on the bridge counter to avoid corrupting data beyond the fixed-sized bridge array in case there are ever more than eight bridges. Patchwork: https://patchwork.freedesktop.org/patch/502668/ This update provides the initial livepatch for this kernel update. This update does not contain any fixes and will be updated with livepatches later. • https://git.kernel.org/stable/c/a689554ba6ed81cf606c16539f6ffc2a1dcdaf8e • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50367 – fs: fix UAF/GPF bug in nilfs_mdt_destroy
https://notcve.org/view.php?id=CVE-2022-50367
17 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: fs: fix UAF/GPF bug in nilfs_mdt_destroy In alloc_inode, inode_init_always() could return -ENOMEM if security_inode_alloc() fails, which causes inode->i_private uninitialized. Then nilfs_is_metadata_file_inode() returns true and nilfs_free_inode() wrongly calls nilfs_mdt_destroy(), which frees the uninitialized inode->i_private and leads to crashes(e.g., UAF/GPF). Fix this by moving security_inode_alloc just prior to this_cpu_inc(nr_inodes)... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50366 – powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue
https://notcve.org/view.php?id=CVE-2022-50366
17 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue When value < time_unit, the parameter of ilog2() will be zero and the return value is -1. u64(-1) is too large for shift exponent and then will trigger shift-out-of-bounds: shift exponent 18446744073709551615 is too large for 32-bit type 'int' Call Trace: rapl_compute_time_window_core rapl_write_data_raw set_time_window store_constraint_time_window_us • https://git.kernel.org/stable/c/2d281d8196e38dd3a4ee9af26621ddde8329f269 • CWE-125: Out-of-bounds Read •
CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 0CVE-2022-50365 – skbuff: Account for tail adjustment during pull operations
https://notcve.org/view.php?id=CVE-2022-50365
17 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: skbuff: Account for tail adjustment during pull operations Extending the tail can have some unexpected side effects if a program uses a helper like BPF_FUNC_skb_pull_data to read partial content beyond the head skb headlen when all the skbs in the gso frag_list are linear with no head_frag - kernel BUG at net/core/skbuff.c:4219! pc : skb_segment+0xcf4/0xd2c lr : skb_segment+0x63c/0xd2c Call trace: skb_segment+0xcf4/0xd2c __udp_gso_segment+0... • https://git.kernel.org/stable/c/162a5a8c3aff15c449e6b38355cdf80ab4f77a5a •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50364 – i2c: mux: reg: check return value after calling platform_get_resource()
https://notcve.org/view.php?id=CVE-2022-50364
17 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: i2c: mux: reg: check return value after calling platform_get_resource() It will cause null-ptr-deref in resource_size(), if platform_get_resource() returns NULL, move calling resource_size() after devm_ioremap_resource() that will check 'res' to avoid null-ptr-deref. And use devm_platform_get_and_ioremap_resource() to simplify code. This update provides the initial livepatch for this kernel update. This update does not contain any fixes and... • https://git.kernel.org/stable/c/b3fdd32799d834e2626fae087906e886037350c6 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 9EXPL: 0CVE-2022-50359 – media: cx88: Fix a null-ptr-deref bug in buffer_prepare()
https://notcve.org/view.php?id=CVE-2022-50359
17 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: media: cx88: Fix a null-ptr-deref bug in buffer_prepare() When the driver calls cx88_risc_buffer() to prepare the buffer, the function call may fail, resulting in a empty buffer and null-ptr-deref later in buffer_queue(). The following log can reveal it: [ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI [ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 • CWE-476: NULL Pointer Dereference •
CVSS: 4.2EPSS: 0%CPEs: 6EXPL: 0CVE-2022-50358 – brcmfmac: return error when getting invalid max_flowrings from dongle
https://notcve.org/view.php?id=CVE-2022-50358
17 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: brcmfmac: return error when getting invalid max_flowrings from dongle When firmware hit trap at initialization, host will read abnormal max_flowrings number from dongle, and it will cause kernel panic when doing iowrite to initialize dongle ring. To detect this error at early stage, we directly return error when getting invalid max_flowrings(>256). This update provides the initial livepatch for this kernel update. This update does not conta... • https://git.kernel.org/stable/c/9e37f045d5e7f33450515f237c2f6f6bfee137dd •
CVSS: 7.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50356 – net: sched: sfb: fix null pointer access issue when sfb_init() fails
https://notcve.org/view.php?id=CVE-2022-50356
17 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: net: sched: sfb: fix null pointer access issue when sfb_init() fails When the default qdisc is sfb, if the qdisc of dev_queue fails to be inited during mqprio_init(), sfb_reset() is invoked to clear resources. In this case, the q->qdisc is NULL, and it will cause gpf issue. The process is as follows: qdisc_create_dflt() sfb_init() tcf_block_get() --->failed, q->qdisc is NULL ... qdisc_put() ... sfb_reset() qdisc_reset(q->qdisc) --->q->qdisc... • https://git.kernel.org/stable/c/e13e02a3c68d899169c78d9a18689bd73491d59a • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50353 – mmc: wmt-sdmmc: fix return value check of mmc_add_host()
https://notcve.org/view.php?id=CVE-2022-50353
17 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: mmc: wmt-sdmmc: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, the memory that allocated in mmc_alloc_host() will be leaked and it will lead a kernel crash because of deleting not added device in the remove path. So fix this by checking the return value and goto error path which will call mmc_free_host(), besides, clk_disable_unprepare() also needs be called. This update provides the... • https://git.kernel.org/stable/c/3a96dff0f828ae9dfb43efd49a9b67a74c6dc360 • CWE-476: NULL Pointer Dereference •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2023-53333 – netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one
https://notcve.org/view.php?id=CVE-2023-53333
16 Sep 2025 — In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one Eric Dumazet says: nf_conntrack_dccp_packet() has an unique: dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); And nothing more is 'pulled' from the packet, depending on the content. dh->dccph_doff, and/or dh->dccph_x ...) So dccp_ack_seq() is happily reading stuff past the _dh buffer. BUG: KASAN: stack-out-of-bounds in nf_conntrack_dccp_packet+0x1134... • https://git.kernel.org/stable/c/2bc780499aa33311ec0f3e42624dfaa7be0ade5e • CWE-125: Out-of-bounds Read •