CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49729 – nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred
https://notcve.org/view.php?id=CVE-2022-49729
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred Similar to the handling of play_deferred in commit 19cfe912c37b ("Bluetooth: btusb: Fix memory leak in play_deferred"), we thought a patch might be needed here as well. Currently usb_submit_urb is called directly to submit deferred tx urbs after unanchor them. So the usb_giveback_urb_bh would failed to unref it in usb_unanchor_urb and cause memory leak. Put those urbs in tx_anchor to av... • https://git.kernel.org/stable/c/1eb0afecfb9cd0f38424b82bd9aaa542310934ee •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-49728 – ipv6: Fix signed integer overflow in __ip6_append_data
https://notcve.org/view.php?id=CVE-2022-49728
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix signed integer overflow in __ip6_append_data Resurrect ubsan overflow checks and ubsan report this warning, fix it by change the variable [length] type to size_t. UBSAN: signed-integer-overflow in net/ipv6/ip6_output.c:1489:19 2147479552 + 8567 cannot be represented in type 'int' CPU: 0 PID: 253 Comm: err Not tainted 5.16.0+ #1 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace+0x214/0x230 show_stack+0x30/0x78 dump_st... • https://git.kernel.org/stable/c/84dc940890e91e42898e4443a093281702440abf •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49727 – ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
https://notcve.org/view.php?id=CVE-2022-49727
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be overflow. To fix, we can follow what udpv6 does and subtract the transhdrlen from the max. In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be overflow. To fix, we can follow what udpv... • https://git.kernel.org/stable/c/2cf73c7cb6125083408d77f43d0e84d86aed0000 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-49725 – i40e: Fix call trace in setup_tx_descriptors
https://notcve.org/view.php?id=CVE-2022-49725
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: i40e: Fix call trace in setup_tx_descriptors After PF reset and ethtool -t there was call trace in dmesg sometimes leading to panic. When there was some time, around 5 seconds, between reset and test there were no errors. Problem was that pf reset calls i40e_vsi_close in prep_for_reset and ethtool -t calls i40e_vsi_close in diag_test. If there was not enough time between those commands the second i40e_vsi_close starts before previous i40e_v... • https://git.kernel.org/stable/c/e17bc411aea8fbebc51857037f104ab09f765120 •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-49724 – tty: goldfish: Fix free_irq() on remove
https://notcve.org/view.php?id=CVE-2022-49724
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: tty: goldfish: Fix free_irq() on remove Pass the correct dev_id to free_irq() to fix this splat when the driver is unbound: WARNING: CPU: 0 PID: 30 at kernel/irq/manage.c:1895 free_irq Trying to free already-free IRQ 65 Call Trace: warn_slowpath_fmt free_irq goldfish_tty_remove platform_remove device_remove device_release_driver_internal device_driver_detach unbind_store drv_attr_store ... In the Linux kernel, the following vulnerability ha... • https://git.kernel.org/stable/c/465893e18878e119d8d0255439fad8debbd646fd •
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49719 – irqchip/gic/realview: Fix refcount leak in realview_gic_of_init
https://notcve.org/view.php?id=CVE-2022-49719
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: irqchip/gic/realview: Fix refcount leak in realview_gic_of_init of_find_matching_node_and_match() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. In the Linux kernel, the following vulnerability has been resolved: irqchip/gic/realview: Fix refcount leak in realview_gic_of_init of_find_matching_node_and_match() returns a node pointer ... • https://git.kernel.org/stable/c/82b0a434b436f5da69ddd24bd6a6fa5dc4484310 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2022-49715 – irqchip/gic-v3: Fix refcount leak in gic_populate_ppi_partitions
https://notcve.org/view.php?id=CVE-2022-49715
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Fix refcount leak in gic_populate_ppi_partitions of_find_node_by_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3: Fix refcount leak in gic_populate_ppi_partitions of_find_node_by_phandle() returns a node pointer with refcount ... • https://git.kernel.org/stable/c/e3825ba1af3a27d7522c9f5f929f5a13b8b138ae •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-49712 – usb: gadget: lpc32xx_udc: Fix refcount leak in lpc32xx_udc_probe
https://notcve.org/view.php?id=CVE-2022-49712
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: gadget: lpc32xx_udc: Fix refcount leak in lpc32xx_udc_probe of_parse_phandle() returns a node pointer with refcount incremented, we should use of_node_put() on it when not need anymore. Add missing of_node_put() to avoid refcount leak. of_node_put() will check NULL pointer. In the Linux kernel, the following vulnerability has been resolved: usb: gadget: lpc32xx_udc: Fix refcount leak in lpc32xx_udc_probe of_parse_phandle() returns a no... • https://git.kernel.org/stable/c/24a28e4283510dcd58890379a42b8a7d3201d9d3 •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-49711 – bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove()
https://notcve.org/view.php?id=CVE-2022-49711
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc-bus: fix KASAN use-after-free in fsl_mc_bus_remove() In fsl_mc_bus_remove(), mc->root_mc_bus_dev->mc_io is passed to fsl_destroy_mc_io(). However, mc->root_mc_bus_dev is already freed in fsl_mc_device_remove(). Then reference to mc->root_mc_bus_dev->mc_io triggers KASAN use-after-free. To avoid the use-after-free, keep the reference to mc->root_mc_bus_dev->mc_io in a local variable and pass to fsl_destroy_mc_io(). This patch nee... • https://git.kernel.org/stable/c/f93627146f0e371093966ed3d44c065aa077cfb1 • CWE-416: Use After Free •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49710 – dm mirror log: round up region bitmap size to BITS_PER_LONG
https://notcve.org/view.php?id=CVE-2022-49710
26 Feb 2025 — In the Linux kernel, the following vulnerability has been resolved: dm mirror log: round up region bitmap size to BITS_PER_LONG The code in dm-log rounds up bitset_size to 32 bits. It then uses find_next_zero_bit_le on the allocated region. find_next_zero_bit_le accesses the bitmap using unsigned long pointers. So, on 64-bit architectures, it may access 4 bytes beyond the allocated size. Fix this bug by rounding up bitset_size to BITS_PER_LONG. This bug was found by running the lvm2 testsuite with kasan. • https://git.kernel.org/stable/c/29121bd0b00ebb9524971a583fea4a2f7afe8041 •