CVSS: 7.1EPSS: 0%CPEs: 8EXPL: 0CVE-2022-50185 – drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()
https://notcve.org/view.php?id=CVE-2022-50185
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() The last case label can write two buffers 'mc_reg_address[j]' and 'mc_data[j]' with 'j' offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE since there are no checks for this value in both case labels after the last 'j++'. Instead of changing '>' to '>=' there, add the bounds check at the start of the second 'case' (the first one already has it). Also, remove redunda... • https://git.kernel.org/stable/c/69e0b57a91adca2e3eb56ed4db39ab90f3ae1043 •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50171 – crypto: hisilicon/sec - don't sleep when in softirq
https://notcve.org/view.php?id=CVE-2022-50171
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: crypto: hisilicon/sec - don't sleep when in softirq When kunpeng920 encryption driver is used to deencrypt and decrypt packets during the softirq, it is not allowed to use mutex lock. The kernel will report the following error: BUG: scheduling while atomic: swapper/57/0/0x00000300 Call trace: dump_backtrace+0x0/0x1e4 show_stack+0x20/0x2c dump_stack+0xd8/0x140 __schedule_bug+0x68/0x80 __schedule+0x728/0x840 schedule+0x50/0xe0 schedule_preemp... • https://git.kernel.org/stable/c/416d82204df44ef727de6eafafeaa4d12fdc78dc •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-50156 – HID: cp2112: prevent a buffer overflow in cp2112_xfer()
https://notcve.org/view.php?id=CVE-2022-50156
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: HID: cp2112: prevent a buffer overflow in cp2112_xfer() Smatch warnings: drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'data->block[1]' too small (33 vs 255) drivers/hid/hid-cp2112.c:793 cp2112_xfer() error: __memcpy() 'buf' too small (64 vs 255) The 'read_length' variable is provided by 'data->block[0]' which comes from user and it(read_length) can take a value between 0-255. Add an upper bound to 'read_length' variable to p... • https://git.kernel.org/stable/c/542134c0375b5ca2b1d18490c02b8a20bfdd8d74 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50151 – usb: cdns3: fix random warning message when driver load
https://notcve.org/view.php?id=CVE-2022-50151
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: cdns3: fix random warning message when driver load Warning log: [ 4.141392] Unexpected gfp: 0x4 (GFP_DMA32). Fixing up to gfp: 0xa20 (GFP_ATOMIC). Fix your code! [ 4.150340] CPU: 1 PID: 175 Comm: 1-0050 Not tainted 5.15.5-00039-g2fd9ae1b568c #20 [ 4.158010] Hardware name: Freescale i.MX8QXP MEK (DT) [ 4.163155] Call trace: [ 4.165600] dump_backtrace+0x0/0x1b0 [ 4.169286] show_stack+0x18/0x68 [ 4.172611] dump_stack_lvl+0x68/0x84 [ 4.176... • https://git.kernel.org/stable/c/8bc1901ca7b07d864fca11461b3875b31f949765 •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-50034 – usb: cdns3 fix use-after-free at workaround 2
https://notcve.org/view.php?id=CVE-2022-50034
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: cdns3 fix use-after-free at workaround 2 BUG: KFENCE: use-after-free read in __list_del_entry_valid+0x10/0xac cdns3_wa2_remove_old_request() { ... kfree(priv_req->request.buf); cdns3_gadget_ep_free_request(&priv_ep->endpoint, &priv_req->request); list_del_init(&priv_req->list); ^^^ use after free ... } cdns3_gadget_ep_free_request() free the space pointed by priv_req, but priv_req is used in the following list_del_init(). This patch mo... • https://git.kernel.org/stable/c/8bc1901ca7b07d864fca11461b3875b31f949765 •
CVSS: 7.1EPSS: 0%CPEs: 3EXPL: 0CVE-2022-50026 – habanalabs/gaudi: fix shift out of bounds
https://notcve.org/view.php?id=CVE-2022-50026
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: habanalabs/gaudi: fix shift out of bounds When validating NIC queues, queue offset calculation must be performed only for NIC queues. In the Linux kernel, the following vulnerability has been resolved: habanalabs/gaudi: fix shift out of bounds When validating NIC queues, queue offset calculation must be performed only for NIC queues. • https://git.kernel.org/stable/c/ac0ae6a96aa58eeba4aed97b12ef1dea8c5bf399 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-50016 – ASoC: SOF: Intel: cnl: Do not process IPC reply before firmware boot
https://notcve.org/view.php?id=CVE-2022-50016
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: cnl: Do not process IPC reply before firmware boot It is not yet clear, but it is possible to create a firmware so broken that it will send a reply message before a FW_READY message (it is not yet clear if FW_READY will arrive later). Since the reply_data is allocated only after the FW_READY message, this will lead to a NULL pointer dereference if not filtered out. The issue was reported with IPC4 firmware but the same con... • https://git.kernel.org/stable/c/273020522ef62361c5d86eebe45a72418ed8dea4 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-50015 – ASoC: SOF: Intel: hda-ipc: Do not process IPC reply before firmware boot
https://notcve.org/view.php?id=CVE-2022-50015
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda-ipc: Do not process IPC reply before firmware boot It is not yet clear, but it is possible to create a firmware so broken that it will send a reply message before a FW_READY message (it is not yet clear if FW_READY will arrive later). Since the reply_data is allocated only after the FW_READY message, this will lead to a NULL pointer dereference if not filtered out. The issue was reported with IPC4 firmware but the same... • https://git.kernel.org/stable/c/6e9cde974863dc9d9c6cdb178f625e410c5be3d0 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-49998 – rxrpc: Fix locking in rxrpc's sendmsg
https://notcve.org/view.php?id=CVE-2022-49998
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix locking in rxrpc's sendmsg Fix three bugs in the rxrpc's sendmsg implementation: (1) rxrpc_new_client_call() should release the socket lock when returning an error from rxrpc_get_call_slot(). (2) rxrpc_wait_for_tx_window_intr() will return without the call mutex held in the event that we're interrupted by a signal whilst waiting for tx space on the socket or relocking the call mutex afterwards. Fix this by: (a) moving the unlock/... • https://git.kernel.org/stable/c/bc5e3a546d553e5223851fc199e69040eb70f68b •
CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-49997 – net: lantiq_xrx200: restore buffer if memory allocation failed
https://notcve.org/view.php?id=CVE-2022-49997
18 Jun 2025 — In the Linux kernel, the following vulnerability has been resolved: net: lantiq_xrx200: restore buffer if memory allocation failed In a situation where memory allocation fails, an invalid buffer address is stored. When this descriptor is used again, the system panics in the build_skb() function when accessing memory. In the Linux kernel, the following vulnerability has been resolved: net: lantiq_xrx200: restore buffer if memory allocation failed In a situation where memory allocation fails, an invalid buffe... • https://git.kernel.org/stable/c/7ea6cd16f1599c1eac6018751eadbc5fc736b99a •