Linux Kernel vulnerabilities

CVE-2023-53601 [MEDIUM] CVE-2023-53601: In the Linux kernel, the following vulnerability has been resolved: bonding: do not assume skb mac_ In the Linux kernel, the following vulnerability has been resolved: bonding: do not assume skb mac_header is set Drivers must not assume in their ndo_start_xmit() that skbs have their mac_header set. skb->data is all what is needed. bonding seems to be one of the last offender as caught by syzbot: WARNING: CPU: 1 PID: 12155 at include/linux/skbuff.h:290

CVE-2023-53594 [MEDIUM] CWE-401 CVE-2023-53594: In the Linux kernel, the following vulnerability has been resolved: driver core: fix resource leak In the Linux kernel, the following vulnerability has been resolved: driver core: fix resource leak in device_add() When calling kobject_add() failed in device_add(), it will call cleanup_glue_dir() to free resource. But in kobject_add(), dev->kobj.parent has been set to NULL. This will cause resource leak. The process is as follows: device_add() g

CVE-2025-39942 [MEDIUM] CVE-2025-39942: In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbdirect: verify remain In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbdirect: verify remaining_data_length respects max_fragmented_recv_size This is inspired by the check for data_offset + data_length.

CVE-2022-50476 [MEDIUM] CWE-401 CVE-2022-50476: In the Linux kernel, the following vulnerability has been resolved: ntb_netdev: Use dev_kfree_skb_a In the Linux kernel, the following vulnerability has been resolved: ntb_netdev: Use dev_kfree_skb_any() in interrupt context TX/RX callback handlers (ntb_netdev_tx_handler(), ntb_netdev_rx_handler()) can be called in interrupt context via the DMA framework when the respective DMA operations have completed. As such, any calls by these routines to f

CVE-2025-39931 [MEDIUM] CWE-908 CVE-2025-39931: In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Set merge to z In the Linux kernel, the following vulnerability has been resolved: crypto: af_alg - Set merge to zero early in af_alg_sendmsg If an error causes af_alg_sendmsg to abort, ctx->merge may contain a garbage value from the previous loop. This may then trigger a crash on the next entry into af_alg_sendmsg when it attempts to do a merge that can't be do

CVE-2023-53590 [MEDIUM] CWE-667 CVE-2023-53590: In the Linux kernel, the following vulnerability has been resolved: sctp: add a refcnt in sctp_stre In the Linux kernel, the following vulnerability has been resolved: sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop With this refcnt added in sctp_stream_priorities, we don't need to traverse all streams to check if the prio is used by other streams when freeing one stream's prio in sctp_sched_prio_free_sid(). This can avoid a

CVE-2023-53564 [MEDIUM] CWE-617 CVE-2023-53564: In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix defrag path triggeri In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix defrag path triggering jbd2 ASSERT code path: ocfs2_ioctl_move_extents ocfs2_move_extents ocfs2_defrag_extent __ocfs2_move_extent + ocfs2_journal_access_di + ocfs2_split_extent //sub-paths call jbd2_journal_restart + ocfs2_journal_dirty //crash by jbs2 ASSERT crash st

CVE-2022-50489 [MEDIUM] CVE-2022-50489: In the Linux kernel, the following vulnerability has been resolved: drm/mipi-dsi: Detach devices wh In the Linux kernel, the following vulnerability has been resolved: drm/mipi-dsi: Detach devices when removing the host Whenever the MIPI-DSI host is unregistered, the code of mipi_dsi_host_unregister() loops over every device currently found on that bus and will unregister it. However, it doesn't detach it from the bus first, which leads to all kind of

CVE-2023-53592 [MEDIUM] CVE-2023-53592: In the Linux kernel, the following vulnerability has been resolved: gpio: sifive: Fix refcount leak In the Linux kernel, the following vulnerability has been resolved: gpio: sifive: Fix refcount leak in sifive_gpio_probe of_irq_find_parent() returns a node pointer with refcount incremented, We should use of_node_put() on it when not needed anymore. Add missing of_node_put() to avoid refcount leak.

CVE-2022-50474 [MEDIUM] CWE-401 CVE-2022-50474: In the Linux kernel, the following vulnerability has been resolved: macintosh: fix possible memory In the Linux kernel, the following vulnerability has been resolved: macintosh: fix possible memory leak in macio_add_one_device() Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array"), the name of device is allocated dynamically. It needs to be freed when of_device_register() fails. Call put_device() to give up th

CVE-2023-53585 [MEDIUM] CVE-2023-53585: In the Linux kernel, the following vulnerability has been resolved: bpf: reject unhashed sockets in In the Linux kernel, the following vulnerability has been resolved: bpf: reject unhashed sockets in bpf_sk_assign The semantics for bpf_sk_assign are as follows: sk = some_lookup_func() bpf_sk_assign(skb, sk) bpf_sk_release(sk) That is, the sk is not consumed by bpf_sk_assign. The function therefore needs to make sure that sk lives long enough to be con

CVE-2023-53551 [MEDIUM] CWE-476 CVE-2023-53551: In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Add null In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Add null pointer check in gserial_resume Consider a case where gserial_disconnect has already cleared gser->ioport. And if a wakeup interrupt triggers afterwards, gserial_resume gets called, which will lead to accessing of gser->ioport and thus causing null

CVE-2022-50480 [MEDIUM] CVE-2022-50480: In the Linux kernel, the following vulnerability has been resolved: memory: pl353-smc: Fix refcount In the Linux kernel, the following vulnerability has been resolved: memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe() The break of for_each_available_child_of_node() needs a corresponding of_node_put() when the reference 'child' is not used anymore. Here we do not need to call of_node_put() in fail path as '!match' means no break. While the o

CVE-2023-53579 [MEDIUM] CWE-401 CVE-2023-53579: In the Linux kernel, the following vulnerability has been resolved: gpio: mvebu: fix irq domain lea In the Linux kernel, the following vulnerability has been resolved: gpio: mvebu: fix irq domain leak Uwe Kleine-König pointed out we still have one resource leak in the mvebu driver triggered on driver detach. Let's address it with a custom devm action.

CVE-2023-53555 [MEDIUM] CWE-908 CVE-2023-53555: In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: initialize damo_ In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: initialize damo_filter->list from damos_new_filter() damos_new_filter() is not initializing the list field of newly allocated filter object. However, DAMON sysfs interface and DAMON_RECLAIM are not initializing it after calling damos_new_filter(). As a result, acces

CVE-2023-53614 [MEDIUM] CWE-362 CVE-2023-53614: In the Linux kernel, the following vulnerability has been resolved: mm/ksm: fix race with VMA itera In the Linux kernel, the following vulnerability has been resolved: mm/ksm: fix race with VMA iteration and mm_struct teardown exit_mmap() will tear down the VMAs and maple tree with the mmap_lock held in write mode. Ensure that the maple tree is still valid by checking ksm_test_exit() after taking the mmap_lock in read mode, but before the for_ea

CVE-2023-53574 [MEDIUM] CWE-401 CVE-2023-53574: In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: delete timer and f In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: delete timer and free skb queue when unloading Fix possible crash and memory leak on driver unload by deleting TX purge timer and freeing C2H queue in 'rtw_core_deinit()', shrink critical section in the latter by freeing COEX queue out of TX report lock scope.

CVE-2023-53597 [MEDIUM] CWE-401 CVE-2023-53597: In the Linux kernel, the following vulnerability has been resolved: cifs: fix mid leak during recon In the Linux kernel, the following vulnerability has been resolved: cifs: fix mid leak during reconnection after timeout threshold When the number of responses with status of STATUS_IO_TIMEOUT exceeds a specified threshold (NUM_STATUS_IO_TIMEOUT), we reconnect the connection. But we do not return the mid, or the credits returned for the mid, or re

CVE-2022-50494 [MEDIUM] CVE-2022-50494: In the Linux kernel, the following vulnerability has been resolved: thermal: intel_powerclamp: Use In the Linux kernel, the following vulnerability has been resolved: thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash When CPU 0 is offline and intel_powerclamp is used to inject idle, it generates kernel BUG: BUG: using smp_processor_id() in preemptible [00000000] code: bash/15687 caller is debug_smp_processor_id+0x17/

CVE-2025-39941 [MEDIUM] CWE-362 CVE-2025-39941: In the Linux kernel, the following vulnerability has been resolved: zram: fix slot write race condi In the Linux kernel, the following vulnerability has been resolved: zram: fix slot write race condition Parallel concurrent writes to the same zram index result in leaked zsmalloc handles. Schematically we can have something like this: CPU0 CPU1 zram_slot_lock() zs_free(handle) zram_slot_lock() zram_slot_lock() zs_free(handle) zram_slot_lock() c