CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49769 – gfs2: Check sb_bsize_shift after reading superblock
https://notcve.org/view.php?id=CVE-2022-49769
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: gfs2: Check sb_bsize_shift after reading superblock Fuzzers like to scribble over sb_bsize_shift but in reality it's very unlikely that this field would be corrupted on its own. Nevertheless it should be checked to avoid the possibility of messy mount errors due to bad calculations. It's always a fixed value based on the block size so we can just check that it's the expected value. Tested with: mkfs.gfs2 -O -p lock_nolock /dev/vdb for i in ... • https://git.kernel.org/stable/c/d6b1e8ea6f3418c3b461ad5a35cdc93c996b2c87 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49768 – 9p: trans_fd/p9_conn_cancel: drop client lock earlier
https://notcve.org/view.php?id=CVE-2022-49768
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: 9p: trans_fd/p9_conn_cancel: drop client lock earlier syzbot reported a double-lock here and we no longer need this lock after requests have been moved off to local list: just drop the lock earlier. In the Linux kernel, the following vulnerability has been resolved: 9p: trans_fd/p9_conn_cancel: drop client lock earlier syzbot reported a double-lock here and we no longer need this lock after requests have been moved off to local list: just d... • https://git.kernel.org/stable/c/82825dbf393f7c7979d462f9609a15bde8092b3f •
CVSS: 2.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49767 – 9p/trans_fd: always use O_NONBLOCK read/write
https://notcve.org/view.php?id=CVE-2022-49767
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: 9p/trans_fd: always use O_NONBLOCK read/write syzbot is reporting hung task at p9_fd_close() [1], for p9_mux_poll_stop() from p9_conn_destroy() from p9_fd_close() is failing to interrupt already started kernel_read() from p9_fd_read() from p9_read_work() and/or kernel_write() from p9_fd_write() from p9_write_work() requests. Since p9_socket_open() sets O_NONBLOCK flag, p9_mux_poll_stop() does not need to interrupt kernel_read()/kernel_write... • https://git.kernel.org/stable/c/0b5e6bd72b8171364616841603a70e4ba9837063 •
CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49766 – netlink: Bounds-check struct nlmsgerr creation
https://notcve.org/view.php?id=CVE-2022-49766
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: netlink: Bounds-check struct nlmsgerr creation In preparation for FORTIFY_SOURCE doing bounds-check on memcpy(), switch from __nlmsg_put to nlmsg_put(), and explain the bounds check for dealing with the memcpy() across a composite flexible array struct. Avoids this future run-time warning: memcpy: detected field-spanning write (size 32) of single field "&errmsg->msg" at net/netlink/af_netlink.c:2447 (size 16) In the Linux kernel, the follow... • https://git.kernel.org/stable/c/aff4eb16f589c3af322a2582044bca365381fcd6 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49765 – net/9p: use a dedicated spinlock for trans_fd
https://notcve.org/view.php?id=CVE-2022-49765
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: net/9p: use a dedicated spinlock for trans_fd Shamelessly copying the explanation from Tetsuo Handa's suggested patch[1] (slightly reworded): syzbot is reporting inconsistent lock state in p9_req_put()[2], for p9_tag_remove() from p9_req_put() from IRQ context is using spin_lock_irqsave() on "struct p9_client"->lock but trans_fd (not from IRQ context) is using spin_lock(). Since the locks actually protect different things in client.c and in... • https://git.kernel.org/stable/c/43bbadb7e4636dc02f6a283c2a39e6438e6173cd •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49764 – bpf: Prevent bpf program recursion for raw tracepoint probes
https://notcve.org/view.php?id=CVE-2022-49764
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Prevent bpf program recursion for raw tracepoint probes We got report from sysbot [1] about warnings that were caused by bpf program attached to contention_begin raw tracepoint triggering the same tracepoint by using bpf_trace_printk helper that takes trace_printk_lock lock. Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49763 – ntfs: fix use-after-free in ntfs_attr_find()
https://notcve.org/view.php?id=CVE-2022-49763
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ntfs: fix use-after-free in ntfs_attr_find() Patch series "ntfs: fix bugs about Attribute", v2. This patchset fixes three bugs relative to Attribute in record: Patch 1 adds a sanity check to ensure that, attrs_offset field in first mft record loading from disk is within bounds. Patch 2 moves the ATTR_RECORD's bounds checking earlier, to avoid dereferencing ATTR_RECORD before checking this ATTR_RECORD is within bounds. Patch 3 adds an overfl... • https://git.kernel.org/stable/c/79f3ac7dcd12c05b7539239a4c6fa229a50d786c •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49762 – ntfs: check overflow when iterating ATTR_RECORDs
https://notcve.org/view.php?id=CVE-2022-49762
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: ntfs: check overflow when iterating ATTR_RECORDs Kernel iterates over ATTR_RECORDs in mft record in ntfs_attr_find(). Because the ATTR_RECORDs are next to each other, kernel can get the next ATTR_RECORD from end address of current ATTR_RECORD, through current ATTR_RECORD length field. The problem is that during iteration, when kernel calculates the end address of current ATTR_RECORD, kernel may trigger an integer overflow bug in executing `... • https://git.kernel.org/stable/c/5559eb5809353a83a40a1e4e7f066431c7b83020 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2025-37745 – PM: hibernate: Avoid deadlock in hibernate_compressor_param_set()
https://notcve.org/view.php?id=CVE-2025-37745
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: PM: hibernate: Avoid deadlock in hibernate_compressor_param_set() syzbot reported a deadlock in lock_system_sleep() (see below). The write operation to "/sys/module/hibernate/parameters/compressor" conflicts with the registration of ieee80211 device, resulting in a deadlock when attempting to acquire system_transition_mutex under param_lock. To avoid this deadlock, change hibernate_compressor_param_set() to use mutex_trylock() for attemptin... • https://git.kernel.org/stable/c/11ae4fec1f4b4ee06770a572c37d89cbaecbf66e •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-37742 – jfs: Fix uninit-value access of imap allocated in the diMount() function
https://notcve.org/view.php?id=CVE-2025-37742
01 May 2025 — In the Linux kernel, the following vulnerability has been resolved: jfs: Fix uninit-value access of imap allocated in the diMount() function syzbot reports that hex_dump_to_buffer is using uninit-value: ===================================================== BUG: KMSAN: uninit-value in hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171 hex_dump_to_buffer+0x888/0x1100 lib/hexdump.c:171 print_hex_dump+0x13d/0x3e0 lib/hexdump.c:276 diFree+0x5ba/0x4350 fs/jfs/jfs_imap.c:876 jfs_evict_inode+0x510/0x550 fs/jfs/inode... • https://git.kernel.org/stable/c/4f10732712fce33e53703ffe5ed9155f23814097 •