CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49951 – firmware_loader: Fix use-after-free during unregister
https://notcve.org/view.php?id=CVE-2022-49951
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Fix use-after-free during unregister In the following code within firmware_upload_unregister(), the call to device_unregister() could result in the dev_release function freeing the fw_upload_priv structure before it is dereferenced for the call to module_put(). This bug was found by the kernel test robot using CONFIG_KASAN while running the firmware selftests. device_unregister(&fw_sysfs->dev); module_put(fw_upload_priv->mo... • https://git.kernel.org/stable/c/97730bbb242cde22b7140acd202ffd88823886c9 •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49950 – misc: fastrpc: fix memory corruption on open
https://notcve.org/view.php?id=CVE-2022-49950
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix memory corruption on open The probe session-duplication overflow check incremented the session count also when there were no more available sessions so that memory beyond the fixed-size slab-allocated session array could be corrupted in fastrpc_session_alloc() on open(). In the Linux kernel, the following vulnerability has been resolved: misc: fastrpc: fix memory corruption on open The probe session-duplication overflow c... • https://git.kernel.org/stable/c/f6f9279f2bf0e37e2f1fb119d8832b8568536a04 •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49949 – firmware_loader: Fix memory leak in firmware upload
https://notcve.org/view.php?id=CVE-2022-49949
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Fix memory leak in firmware upload In the case of firmware-upload, an instance of struct fw_upload is allocated in firmware_upload_register(). This data needs to be freed in fw_dev_release(). Create a new fw_upload_free() function in sysfs_upload.c to handle the firmware-upload specific memory frees and incorporate the missing kfree call for the fw_upload structure. In the Linux kernel, the following vulnerability has been ... • https://git.kernel.org/stable/c/97730bbb242cde22b7140acd202ffd88823886c9 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49948 – vt: Clear selection before changing the font
https://notcve.org/view.php?id=CVE-2022-49948
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: vt: Clear selection before changing the font When changing the console font with ioctl(KDFONTOP) the new font size can be bigger than the previous font. A previous selection may thus now be outside of the new screen size and thus trigger out-of-bounds accesses to graphics memory if the selection is removed in vc_do_resize(). Prevent such out-of-memory accesses by dropping the selection before the various con_font_set() console handlers are ... • https://git.kernel.org/stable/c/c555cf04684fde39b5b0dd9fd80730030ee10c4a •
CVSS: 6.9EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49947 – binder: fix alloc->vma_vm_mm null-ptr dereference
https://notcve.org/view.php?id=CVE-2022-49947
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix alloc->vma_vm_mm null-ptr dereference Syzbot reported a couple issues introduced by commit 44e602b4e52f ("binder_alloc: add missing mmap_lock calls when using the VMA"), in which we attempt to acquire the mmap_lock when alloc->vma_vm_mm has not been initialized yet. This can happen if a binder_proc receives a transaction without having previously called mmap() to setup the binder_proc->alloc space in [1]. Also, a similar issue o... • https://git.kernel.org/stable/c/577d9c05cc48c5242bcf719c06a5baf3105473ad •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49946 – clk: bcm: rpi: Prevent out-of-bounds access
https://notcve.org/view.php?id=CVE-2022-49946
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Prevent out-of-bounds access The while loop in raspberrypi_discover_clocks() relies on the assumption that the id of the last clock element is zero. Because this data comes from the Videocore firmware and it doesn't guarantuee such a behavior this could lead to out-of-bounds access. So fix this by providing a sentinel element. In the Linux kernel, the following vulnerability has been resolved: clk: bcm: rpi: Prevent out-of-bo... • https://git.kernel.org/stable/c/93d2725affd65686792f4b57e49ef660f3c8c0f9 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49945 – hwmon: (gpio-fan) Fix array out of bounds access
https://notcve.org/view.php?id=CVE-2022-49945
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: hwmon: (gpio-fan) Fix array out of bounds access The driver does not check if the cooling state passed to gpio_fan_set_cur_state() exceeds the maximum cooling state as stored in fan_data->num_speeds. Since the cooling state is later used as an array index in set_fan_speed(), an array out of bounds access can occur. This can be exploited by setting the state of the thermal cooling device to arbitrary values, causing for example a kernel oops... • https://git.kernel.org/stable/c/b5cf88e46badea6d600d8515edea23814e03444d •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49944 – Revert "usb: typec: ucsi: add a common function ucsi_unregister_connectors()"
https://notcve.org/view.php?id=CVE-2022-49944
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: Revert "usb: typec: ucsi: add a common function ucsi_unregister_connectors()" The recent commit 87d0e2f41b8c ("usb: typec: ucsi: add a common function ucsi_unregister_connectors()") introduced a regression that caused NULL dereference at reading the power supply sysfs. It's a stale sysfs entry that should have been removed but remains with NULL ops. The commit changed the error handling to skip the entries after a NULL con->wq, and this lea... • https://git.kernel.org/stable/c/87d0e2f41b8cc2018499be4e8003fa8c09b6f2fb •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2022-49943 – USB: gadget: Fix obscure lockdep violation for udc_mutex
https://notcve.org/view.php?id=CVE-2022-49943
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: USB: gadget: Fix obscure lockdep violation for udc_mutex A recent commit expanding the scope of the udc_lock mutex in the gadget core managed to cause an obscure and slightly bizarre lockdep violation. In abbreviated form: ====================================================== WARNING: possible circular locking dependency detected 5.19.0-rc7+ #12510 Not tainted ------------------------------------------------------ udevadm/312 is trying to ... • https://git.kernel.org/stable/c/f44b0b95d50fffeca036e1ba36770390e0b519dd •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49942 – wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected
https://notcve.org/view.php?id=CVE-2022-49942
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected When we are not connected to a channel, sending channel "switch" announcement doesn't make any sense. The BSS list is empty in that case. This causes the for loop in cfg80211_get_bss() to be bypassed, so the function returns NULL (check line 1424 of net/wireless/scan.c), causing the WARN_ON() in ieee80211_ibss_csa_beacon() to get triggered (check line 500 of net/mac802... • https://git.kernel.org/stable/c/cd7760e62c2ac8581f050b2d36501d1a60beaf83 •