CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49149 – rxrpc: Fix call timer start racing with call destruction
https://notcve.org/view.php?id=CVE-2022-49149
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix call timer start racing with call destruction The rxrpc_call struct has a timer used to handle various timed events relating to a call. This timer can get started from the packet input routines that are run in softirq mode with just the RCU read lock held. Unfortunately, because only the RCU read lock is held - and neither ref or other lock is taken - the call can start getting destroyed at the same time a packet comes in address... • https://git.kernel.org/stable/c/a158bdd3247b9656df36ba133235fff702e9fdc3 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49148 – watch_queue: Free the page array when watch_queue is dismantled
https://notcve.org/view.php?id=CVE-2022-49148
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: watch_queue: Free the page array when watch_queue is dismantled Commit 7ea1a0124b6d ("watch_queue: Free the alloc bitmap when the watch_queue is torn down") took care of the bitmap, but not the page array. BUG: memory leak unreferenced object 0xffff88810d9bc140 (size 32): comm "syz-executor335", pid 3603, jiffies 4294946994 (age 12.840s) hex dump (first 32 bytes): 40 a7 40 04 00 ea ff ff 00 00 00 00 00 00 00 00 @.@............. 00 00 00 00 ... • https://git.kernel.org/stable/c/c73be61cede5882f9605a852414db559c0ebedfd •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49147 – block: Fix the maximum minor value is blk_alloc_ext_minor()
https://notcve.org/view.php?id=CVE-2022-49147
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: block: Fix the maximum minor value is blk_alloc_ext_minor() ida_alloc_range(..., min, max, ...) returns values from min to max, inclusive. So, NR_EXT_DEVT is a valid idx returned by blk_alloc_ext_minor(). This is an issue because in device_add_disk(), this value is used in: ddev->devt = MKDEV(disk->major, disk->first_minor); and NR_EXT_DEVT is '(1 << MINORBITS)'. So, should 'disk->first_minor' be NR_EXT_DEVT, it would overflow. • https://git.kernel.org/stable/c/22ae8ce8b89241c94ac00c237752c0ffa37ba5ae •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49146 – virtio: use virtio_device_ready() in virtio_device_restore()
https://notcve.org/view.php?id=CVE-2022-49146
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: virtio: use virtio_device_ready() in virtio_device_restore() After waking up a suspended VM, the kernel prints the following trace for virtio drivers which do not directly call virtio_device_ready() in the .restore: PM: suspend exit irq 22: nobody cared (try booting with the "irqpoll" option) Call Trace:
CVSS: -EPSS: 0%CPEs: 9EXPL: 0CVE-2022-49145 – ACPI: CPPC: Avoid out of bounds access when parsing _CPC data
https://notcve.org/view.php?id=CVE-2022-49145
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Avoid out of bounds access when parsing _CPC data If the NumEntries field in the _CPC return package is less than 2, do not attempt to access the "Revision" element of that package, because it may not be present then. BugLink: https://lore.kernel.org/lkml/20220322143534.GC32582@xsang-OptiPlex-9020/ • https://git.kernel.org/stable/c/337aadff8e4567e39669e07d9a88b789d78458b5 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49144 – io_uring: fix memory leak of uid in files registration
https://notcve.org/view.php?id=CVE-2022-49144
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: io_uring: fix memory leak of uid in files registration When there are no files for __io_sqe_files_scm() to process in the range, it'll free everything and return. However, it forgets to put uid. • https://git.kernel.org/stable/c/08a451739a9b5783f67de51e84cb6d9559bb9dc4 •
CVSS: -EPSS: 0%CPEs: 11EXPL: 0CVE-2022-49142 – net: preserve skb_end_offset() in skb_unclone_keeptruesize()
https://notcve.org/view.php?id=CVE-2022-49142
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: preserve skb_end_offset() in skb_unclone_keeptruesize() syzbot found another way to trigger the infamous WARN_ON_ONCE(delta < len) in skb_try_coalesce() [1] I was able to root cause the issue to kfence. When kfence is in action, the following assertion is no longer true: int size = xxxx; void *ptr1 = kmalloc(size, gfp); void *ptr2 = kmalloc(size, gfp); if (ptr1 && ptr2) ASSERT(ksize(ptr1) == ksize(ptr2)); We attempted to fix these issu... • https://git.kernel.org/stable/c/097b9146c0e26aabaa6ff3e5ea536a53f5254a79 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49141 – net: dsa: felix: fix possible NULL pointer dereference
https://notcve.org/view.php?id=CVE-2022-49141
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: net: dsa: felix: fix possible NULL pointer dereference As the possible failure of the allocation, kzalloc() may return NULL pointer. Therefore, it should be better to check the 'sgi' in order to prevent the dereference of NULL pointer. • https://git.kernel.org/stable/c/23ae3a7877718931474684ef4fbbaf1d1511ee84 •
CVSS: -EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49139 – Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt
https://notcve.org/view.php?id=CVE-2022-49139
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: fix null ptr deref on hci_sync_conn_complete_evt This event is just specified for SCO and eSCO link types. On the reception of a HCI_Synchronous_Connection_Complete for a BDADDR of an existing LE connection, LE link type and a status that triggers the second case of the packet processing a NULL pointer dereference happens, as conn->link is NULL. • https://git.kernel.org/stable/c/1c1291a84e94f6501644634c97544bb8291e9a1a •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49138 – Bluetooth: hci_event: Ignore multiple conn complete events
https://notcve.org/view.php?id=CVE-2022-49138
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Ignore multiple conn complete events When one of the three connection complete events is received multiple times for the same handle, the device is registered multiple times which leads to memory corruptions. Therefore, consequent events for a single connection are ignored. The conn->state can hold different values, therefore HCI_CONN_HANDLE_UNSET is introduced to identify new connections. To make sure the events do no... • https://git.kernel.org/stable/c/aa1ca580e3ffe62a2c5ea1c095b609b2943c5269 •