Linux Kernel vulnerabilities

CVE-2022-50492 [HIGH] CWE-416 CVE-2022-50492: In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix use-after-free on In the Linux kernel, the following vulnerability has been resolved: drm/msm: fix use-after-free on probe deferral The bridge counter was never reset when tearing down the DRM device so that stale pointers to deallocated structures would be accessed on the next tear down (e.g. after a second late bind deferral). Given enough bridges and a few probe d

CVE-2023-53543 [HIGH] CVE-2023-53543: In the Linux kernel, the following vulnerability has been resolved: vdpa: Add max vqp attr to vdpa_ In the Linux kernel, the following vulnerability has been resolved: vdpa: Add max vqp attr to vdpa_nl_policy for nlattr length check The vdpa_nl_policy structure is used to validate the nlattr when parsing the incoming nlmsg. It will ensure the attribute being described produces a valid nlattr pointer in info->attrs before entering into each handler in vdpa

CVE-2023-53587 [HIGH] CWE-416 CVE-2023-53587: In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Sync IRQ works bef In the Linux kernel, the following vulnerability has been resolved: ring-buffer: Sync IRQ works before buffer destruction If something was written to the buffer just before destruction, it may be possible (maybe not in a real system, but it did happen in ARCH=um with time-travel) to destroy the ringbuffer before the IRQ work ran, leading this KASAN

CVE-2023-53616 [HIGH] CWE-415 CVE-2023-53616: In the Linux kernel, the following vulnerability has been resolved: jfs: fix invalid free of JFS_IP In the Linux kernel, the following vulnerability has been resolved: jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount syzbot found an invalid-free in diUnmount: BUG: KASAN: double-free in slab_free mm/slub.c:3661 [inline] BUG: KASAN: double-free in __kmem_cache_free+0x71/0x110 mm/slub.c:3674 Free of addr ffff88806f410000 by task syz-exec

CVE-2023-53570 [HIGH] CWE-190 CVE-2023-53570: In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix integer over In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix integer overflow in nl80211_parse_mbssid_elems() nl80211_parse_mbssid_elems() uses a u8 variable num_elems to count the number of MBSSID elements in the nested netlink attribute attrs, which can lead to an integer overflow if a user of the nl80211 interface specif

CVE-2023-53613 [HIGH] CWE-416 CVE-2023-53613: In the Linux kernel, the following vulnerability has been resolved: dax: Fix dax_mapping_release() In the Linux kernel, the following vulnerability has been resolved: dax: Fix dax_mapping_release() use after free A CONFIG_DEBUG_KOBJECT_RELEASE test of removing a device-dax region provider (like modprobe -r dax_hmem) yields: kobject: 'mapping0' (ffff93eb460e8800): kobject_release, parent 0000000000000000 (delayed 2000) [..] DEBUG_LOCKS_WARN_ON(1)

CVE-2022-50470 [HIGH] CWE-415 CVE-2022-50470: In the Linux kernel, the following vulnerability has been resolved: xhci: Remove device endpoints f In the Linux kernel, the following vulnerability has been resolved: xhci: Remove device endpoints from bandwidth list when freeing the device Endpoints are normally deleted from the bandwidth list when they are dropped, before the virt device is freed. If xHC host is dying or being removed then the endpoints aren't dropped cleanly due to functions

CVE-2023-53541 [HIGH] CWE-787 CVE-2023-53541: In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: brcmnand: Fix pot In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write When the oob buffer length is not in multiple of words, the oob write function does out-of-bounds read on the oob source buffer at the last iteration. Fix that by always checking length limit on the oob buffer r

CVE-2023-53537 [HIGH] CWE-416 CVE-2023-53537: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid use-after-fr In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid use-after-free for cached IPU bio xfstest generic/019 reports a bug: kernel BUG at mm/filemap.c:1619! RIP: 0010:folio_end_writeback+0x8a/0x90 Call Trace: end_page_writeback+0x1c/0x60 f2fs_write_end_io+0x199/0x420 bio_endio+0x104/0x180 submit_bio_noacct+0xa5/0x510

CVE-2022-50490 [HIGH] CWE-125 CVE-2022-50490: In the Linux kernel, the following vulnerability has been resolved: bpf: Propagate error from htab_ In the Linux kernel, the following vulnerability has been resolved: bpf: Propagate error from htab_lock_bucket() to userspace In __htab_map_lookup_and_delete_batch() if htab_lock_bucket() returns -EBUSY, it will go to next bucket. Going to next bucket may not only skip the elements in current bucket silently, but also incur out-of-bound memory acces

CVE-2025-39939 [HIGH] CWE-787 CVE-2025-39939: In the Linux kernel, the following vulnerability has been resolved: iommu/s390: Fix memory corrupti In the Linux kernel, the following vulnerability has been resolved: iommu/s390: Fix memory corruption when using identity domain zpci_get_iommu_ctrs() returns counter information to be reported as part of device statistics; these counters are stored as part of the s390_domain. The problem, however, is that the identity domain is not backed by an s39

CVE-2023-53575 [HIGH] CWE-125 CVE-2023-53575: In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix potenti In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix potential array out of bounds access Account for IWL_SEC_WEP_KEY_OFFSET when needed while verifying key_len size in iwl_mvm_sec_key_add().

CVE-2023-53600 [HIGH] CWE-125 CVE-2023-53600: In the Linux kernel, the following vulnerability has been resolved: tunnels: fix kasan splat when g In the Linux kernel, the following vulnerability has been resolved: tunnels: fix kasan splat when generating ipv4 pmtu error If we try to emit an icmp error in response to a nonliner skb, we get BUG: KASAN: slab-out-of-bounds in ip_compute_csum+0x134/0x220 Read of size 4 at addr ffff88811c50db00 by task iperf3/1691 CPU: 2 PID: 1691 Comm: iperf3 Not

CVE-2022-50508 [HIGH] CWE-125 CVE-2022-50508: In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt76x0: fix oob acc In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt76x0: fix oob access in mt76x0_phy_get_target_power After 'commit ba45841ca5eb ("wifi: mt76: mt76x02: simplify struct mt76x02_rate_power")', mt76x02 relies on ht[0-7] rate_power data for vht mcs{0,7}, while it uses vth[0-1] rate_power for vht mcs {8,9}. Fix a possible

CVE-2022-50499 [HIGH] CWE-415 CVE-2022-50499: In the Linux kernel, the following vulnerability has been resolved: media: dvb-core: Fix double fre In the Linux kernel, the following vulnerability has been resolved: media: dvb-core: Fix double free in dvb_register_device() In function dvb_register_device() -> dvb_register_media_device() -> dvb_create_media_entity(), dvb->entity is allocated and initialized. If the initialization fails, it frees the dvb->entity, and return an error code. The cal

CVE-2023-53569 [HIGH] CVE-2023-53569: In the Linux kernel, the following vulnerability has been resolved: ext2: Check block size validity In the Linux kernel, the following vulnerability has been resolved: ext2: Check block size validity during mount Check that log of block size stored in the superblock has sensible value. Otherwise the shift computing the block size can overflow leading to undefined behavior.

CVE-2023-53536 [HIGH] CWE-416 CVE-2023-53536: In the Linux kernel, the following vulnerability has been resolved: blk-crypto: make blk_crypto_evi In the Linux kernel, the following vulnerability has been resolved: blk-crypto: make blk_crypto_evict_key() more robust If blk_crypto_evict_key() sees that the key is still in-use (due to a bug) or that ->keyslot_evict failed, it currently just returns while leaving the key linked into the keyslot management structures. However, blk_crypto_evict_ke

CVE-2025-39952 [HIGH] CWE-787 CVE-2025-39952: In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: avoid buffer ov In the Linux kernel, the following vulnerability has been resolved: wifi: wilc1000: avoid buffer overflow in WID string configuration Fix the following copy overflow warning identified by Smatch checker. drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame() error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs

CVE-2022-50488 [HIGH] CWE-416 CVE-2022-50488: In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix possible uaf fo In the Linux kernel, the following vulnerability has been resolved: block, bfq: fix possible uaf for 'bfqq->bic' Our test report a uaf for 'bfqq->bic' in 5.10: BUG: KASAN: use-after-free in bfq_select_queue+0x378/0xa30 CPU: 6 PID: 2318352 Comm: fsstress Kdump: loaded Not tainted 5.10.0-60.18.0.50.h602.kasan.eulerosv2r11.x86_64 #1 Hardware name: QE

CVE-2022-50478 [HIGH] CWE-125 CVE-2022-50478: In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix shift-out-of-bounds In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() Patch series "nilfs2: fix UBSAN shift-out-of-bounds warnings on mount time". The first patch fixes a bug reported by syzbot, and the second one fixes the remaining bug of the same kind. Although they are triggered b