CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2022-50618 – mmc: meson-gx: fix return value check of mmc_add_host()
https://notcve.org/view.php?id=CVE-2022-50618
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: mmc: meson-gx: fix return value check of mmc_add_host() mmc_add_host() may return error, if we ignore its return value, it will lead two issues: 1. The memory that allocated in mmc_alloc_host() is leaked. 2. In the remove() path, mmc_remove_host() will be called to delete device, but it's not added yet, it will lead a kernel crash because of null-ptr-deref in device_del(). Fix this by checking the return value and goto error path which will... • https://git.kernel.org/stable/c/51c5d8447bd71b7e539c19c46a03b73c0e91fa66 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-50617 – drm/amdgpu/powerplay/psm: Fix memory leak in power state init
https://notcve.org/view.php?id=CVE-2022-50617
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/powerplay/psm: Fix memory leak in power state init Commit 902bc65de0b3 ("drm/amdgpu/powerplay/psm: return an error in power state init") made the power state init function return early in case of failure to get an entry from the powerplay table, but it missed to clean up the allocated memory for the current power state before returning. In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/powerplay/psm: ... • https://git.kernel.org/stable/c/902bc65de0b3d72c481b45cbac3e97ab8cb399c2 •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50616 – regulator: core: Use different devices for resource allocation and DT lookup
https://notcve.org/view.php?id=CVE-2022-50616
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: regulator: core: Use different devices for resource allocation and DT lookup Following by the below discussion, there's the potential UAF issue between regulator and mfd. https://lore.kernel.org/all/20221128143601.1698148-1-yangyingliang@huawei.com/ From the analysis of Yingliang CPU A |CPU B mt6370_probe() | devm_mfd_add_devices() | |mt6370_regulator_probe() | regulator_register() | //allocate init_data and add it to devres | regulator_of_... • https://git.kernel.org/stable/c/a0c7b164ad115ec0556dc0904ee2218cbc5cedfa •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50615 – perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map()
https://notcve.org/view.php?id=CVE-2022-50615
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix reference count leak in snr_uncore_mmio_map() pci_get_device() will increase the reference count for the returned pci_dev, so snr_uncore_get_mc_dev() will return a pci_dev with its reference count increased. We need to call pci_dev_put() to decrease the reference count. Let's add the missing pci_dev_put(). In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix reference coun... • https://git.kernel.org/stable/c/ee49532b38dd084650bf715eabe7e3828fb8d275 •
CVSS: 6.6EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50614 – misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic
https://notcve.org/view.php?id=CVE-2022-50614
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Fix pci_endpoint_test_{copy,write,read}() panic The dma_map_single() doesn't permit zero length mapping. It causes a follow panic. A panic was reported on arm64: [ 60.137988] ------------[ cut here ]------------ [ 60.142630] kernel BUG at kernel/dma/swiotlb.c:624! [ 60.147508] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP [ 60.152992] Modules linked in: dw_hdmi_cec crct10dif_ce simple_bridge rcar_fdp1 vsp1 rcar_vin... • https://git.kernel.org/stable/c/343dc693f7b79885197f9d37dd8b711b0e3ffc8f •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40324 – NFSD: Fix crash in nfsd4_read_release()
https://notcve.org/view.php?id=CVE-2025-40324
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test. In the Linux kernel, the following vulnerability has been resolved: NFSD: Fix crash in nfsd4_read_release() When tracing is enabled, the trace_nfsd_read_done trace point crashes during the pynfs read.testNoFh test. The SUSE Linux Enterprise 15 SP6 kernel was updated to fix various security issues... • https://git.kernel.org/stable/c/65a33135e91e6dd661ecdf1194b9d90c49ae3570 •
CVSS: 6.9EPSS: 0%CPEs: 5EXPL: 0CVE-2025-40323 – fbcon: Set fb_display[i]->mode to NULL when the mode is released
https://notcve.org/view.php?id=CVE-2025-40323
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fbcon: Set fb_display[i]->mode to NULL when the mode is released Recently, we discovered the following issue through syzkaller: BUG: KASAN: slab-use-after-free in fb_mode_is_equal+0x285/0x2f0 Read of size 4 at addr ff11000001b3c69c by task syz.xxx ... Call Trace:
CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40322 – fbdev: bitblit: bound-check glyph index in bit_putcs*
https://notcve.org/view.php?id=CVE-2025-40322
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: fbdev: bitblit: bound-check glyph index in bit_putcs* bit_putcs_aligned()/unaligned() derived the glyph pointer from the character value masked by 0xff/0x1ff, which may exceed the actual font's glyph count and read past the end of the built-in font array. Clamp the index to the actual glyph count before computing the address. This fixes a global out-of-bounds read reported by syzbot. In the Linux kernel, the following vulnerability has been... • https://git.kernel.org/stable/c/1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2025-40321 – wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode
https://notcve.org/view.php?id=CVE-2025-40321
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix crash while sending Action Frames in standalone AP Mode Currently, whenever there is a need to transmit an Action frame, the brcmfmac driver always uses the P2P vif to send the "actframe" IOVAR to firmware. The P2P interfaces were available when wpa_supplicant is managing the wlan interface. However, the P2P interfaces are not created/initialized when only hostapd is managing the wlan interface. And if hostapd receives a... • https://git.kernel.org/stable/c/18e2f61db3b708e0a22ccc403cb6ab2203d6faab •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2025-40319 – bpf: Sync pending IRQ work before freeing ring buffer
https://notcve.org/view.php?id=CVE-2025-40319
08 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: bpf: Sync pending IRQ work before freeing ring buffer Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all ... • https://git.kernel.org/stable/c/457f44363a8894135c85b7a9afd2bd8196db24ab •