CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49940 – tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf()
https://notcve.org/view.php?id=CVE-2022-49940
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: n_gsm: add sanity check for gsm->receive in gsm_receive_buf() A null pointer dereference can happen when attempting to access the "gsm->receive()" function in gsmld_receive_buf(). Currently, the code assumes that gsm->recieve is only called after MUX activation. Since the gsmld_receive_buf() function can be accessed without the need to initialize the MUX, the gsm->receive() function will not be set and a NULL pointer dereference will o... • https://git.kernel.org/stable/c/dfa9b6d34aac2154b5e926d7a7a061123bf137c6 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2022-49939 – binder: fix UAF of ref->proc caused by race condition
https://notcve.org/view.php?id=CVE-2022-49939
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of ref->proc caused by race condition A transaction of type BINDER_TYPE_WEAK_HANDLE can fail to increment the reference for a node. In this case, the target proc normally releases the failed reference upon close as expected. However, if the target is dying in parallel the call will race with binder_deferred_release(), so the target could have released all of its references by now leaving the cleanup of the new failed referen... • https://git.kernel.org/stable/c/229f47603dd306bc0eb1a831439adb8e48bb0eae •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49938 – cifs: fix small mempool leak in SMB2_negotiate()
https://notcve.org/view.php?id=CVE-2022-49938
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: cifs: fix small mempool leak in SMB2_negotiate() In some cases of failure (dialect mismatches) in SMB2_negotiate(), after the request is sent, the checks would return -EIO when they should be rather setting rc = -EIO and jumping to neg_exit to free the response buffer from mempool. In the Linux kernel, the following vulnerability has been resolved: cifs: fix small mempool leak in SMB2_negotiate() In some cases of failure (dialect mismatches... • https://git.kernel.org/stable/c/9e3c9efa7caf16e5acc05eab5e4d0a714e1610b0 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49937 – media: mceusb: Use new usb_control_msg_*() routines
https://notcve.org/view.php?id=CVE-2022-49937
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: media: mceusb: Use new usb_control_msg_*() routines Automatic kernel fuzzing led to a WARN about invalid pipe direction in the mceusb driver: ------------[ cut here ]------------ usb 6-1: BOGUS control dir, pipe 80000380 doesn't match bRequestType 40 WARNING: CPU: 0 PID: 2465 at drivers/usb/core/urb.c:410 usb_submit_urb+0x1326/0x1820 drivers/usb/core/urb.c:410 Modules linked in: CPU: 0 PID: 2465 Comm: kworker/0:2 Not tainted 5.19.0-rc4-0020... • https://git.kernel.org/stable/c/587f793c64d99d92be8ef01c4c69d885a3f2edb6 •
CVSS: 6.6EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49936 – USB: core: Prevent nested device-reset calls
https://notcve.org/view.php?id=CVE-2022-49936
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: USB: core: Prevent nested device-reset calls Automatic kernel fuzzing revealed a recursive locking violation in usb-storage: ============================================ WARNING: possible recursive locking detected 5.18.0 #3 Not tainted -------------------------------------------- kworker/1:3/1205 is trying to acquire lock: ffff888018638db8 (&us_interface_key[i]){+.+.}-{3:3}, at: usb_stor_pre_reset+0x35/0x40 drivers/usb/storage/usb.c:230 bu... • https://git.kernel.org/stable/c/d90419b8b8322b6924f6da9da952647f2dadc21b •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49935 – dma-buf/dma-resv: check if the new fence is really later
https://notcve.org/view.php?id=CVE-2022-49935
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: dma-buf/dma-resv: check if the new fence is really later Previously when we added a fence to a dma_resv object we always assumed the the newer than all the existing fences. With Jason's work to add an UAPI to explicit export/import that's not necessary the case any more. So without this check we would allow userspace to force the kernel into an use after free error. Since the change is very small and defensive it's probably a good idea to b... • https://git.kernel.org/stable/c/c4c798fe98adceb642050819cb57cbc8f5c27870 •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49934 – wifi: mac80211: Fix UAF in ieee80211_scan_rx()
https://notcve.org/view.php?id=CVE-2022-49934
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: Fix UAF in ieee80211_scan_rx() ieee80211_scan_rx() tries to access scan_req->flags after a null check, but a UAF is observed when the scan is completed and __ieee80211_scan_completed() executes, which then calls cfg80211_scan_done() leading to the freeing of scan_req. Since scan_req is rcu_dereference()'d, prevent the racing in __ieee80211_scan_completed() by ensuring that from mac80211's POV it is no longer accessed from an... • https://git.kernel.org/stable/c/6eb181a64fdabf10be9e54de728876667da20255 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2025-38082 – gpio: virtuser: fix potential out-of-bound write
https://notcve.org/view.php?id=CVE-2025-38082
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix potential out-of-bound write If the caller wrote more characters, count is truncated to the max available space in "simple_write_to_buffer". Check that the input size does not exceed the buffer size. Write a zero termination afterwards. In the Linux kernel, the following vulnerability has been resolved: gpio: virtuser: fix potential out-of-bound write If the caller wrote more characters, count is truncated to the max ava... • https://git.kernel.org/stable/c/91581c4b3f29e2e22aeb1a62e842d529ca638b2d •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38081 – spi-rockchip: Fix register out of bounds access
https://notcve.org/view.php?id=CVE-2025-38081
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense. In the Linux kernel, the following vulnerability has been resolved: spi-rockchip: Fix register out of bounds access Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense. • https://git.kernel.org/stable/c/4a120221661fcecb253448d7b041a52d47f1d91f •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-38080 – drm/amd/display: Increase block_sequence array size
https://notcve.org/view.php?id=CVE-2025-38080
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Increase block_sequence array size [Why] It's possible to generate more than 50 steps in hwss_build_fast_sequence, for example with a 6-pipe asic where all pipes are in one MPC chain. This overflows the block_sequence buffer and corrupts block_sequence_steps, causing a crash. [How] Expand block_sequence to 100 items. A naive upper bound on the possible number of steps for a 6-pipe asic, ignoring the potential for steps to b... • https://git.kernel.org/stable/c/de67e80ab48f1f23663831007a2fa3c1471a7757 •