Linux Kernel vulnerabilities

CVE-2025-39908 [MEDIUM] CVE-2025-39908: In the Linux kernel, the following vulnerability has been resolved: net: dev_ioctl: take ops lock i In the Linux kernel, the following vulnerability has been resolved: net: dev_ioctl: take ops lock in hwtstamp lower paths ndo hwtstamp callbacks are expected to run under the per-device ops lock. Make the lower get/set paths consistent with the rest of ndo invocations. Kernel log: WARNING: CPU: 13 PID: 51364 at ./include/net/netdev_lock.h:70 __netdev_upd

CVE-2022-50438 [MEDIUM] CWE-401 CVE-2022-50438: In the Linux kernel, the following vulnerability has been resolved: net: hinic: fix memory leak whe In the Linux kernel, the following vulnerability has been resolved: net: hinic: fix memory leak when reading function table When the input parameter idx meets the expected case option in hinic_dbg_get_func_table(), read_data is not released. Fix it.

CVE-2022-50446 [MEDIUM] CWE-401 CVE-2022-50446: In the Linux kernel, the following vulnerability has been resolved: ARC: mm: fix leakage of memory In the Linux kernel, the following vulnerability has been resolved: ARC: mm: fix leakage of memory allocated for PTE Since commit d9820ff ("ARC: mm: switch pgtable_t back to struct page *") a memory leakage problem occurs. Memory allocated for page table entries not released during process termination. This issue can be reproduced by a small progra

CVE-2022-50453 [MEDIUM] CWE-476 CVE-2022-50453: In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: fix NULL-pointer In the Linux kernel, the following vulnerability has been resolved: gpiolib: cdev: fix NULL-pointer dereferences There are several places where we can crash the kernel by requesting lines, unbinding the GPIO device, then calling any of the system calls relevant to the GPIO character device's annonymous file descriptors: ioctl(), read(), poll(). W

CVE-2023-53472 [MEDIUM] CWE-476 CVE-2023-53472: In the Linux kernel, the following vulnerability has been resolved: pwm: lpc32xx: Remove handling o In the Linux kernel, the following vulnerability has been resolved: pwm: lpc32xx: Remove handling of PWM channels Because LPC32xx PWM controllers have only a single output which is registered as the only PWM device/channel per controller, it is known in advance that pwm->hwpwm value is always 0. On basis of this fact simplify the code by removing

CVE-2023-53478 [MEDIUM] CWE-362 CVE-2023-53478: In the Linux kernel, the following vulnerability has been resolved: tracing/synthetic: Fix races on In the Linux kernel, the following vulnerability has been resolved: tracing/synthetic: Fix races on freeing last_cmd Currently, the "last_cmd" variable can be accessed by multiple processes asynchronously when multiple users manipulate synthetic_events node at the same time, it could lead to use-after-free or double-free. This patch add "lastcmd_

CVE-2022-50464 [MEDIUM] CVE-2022-50464: In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: Fix PCI device re In the Linux kernel, the following vulnerability has been resolved: mt76: mt7915: Fix PCI device refcount leak in mt7915_pci_init_hif2() As comment of pci_get_device() says, it returns a pci_device with its refcount increased. We need to call pci_dev_put() to decrease the refcount. Save the return value of pci_get_device() and call pci_dev_put() to decrea

CVE-2025-39914 [MEDIUM] CWE-415 CVE-2025-39914: In the Linux kernel, the following vulnerability has been resolved: tracing: Silence warning when c In the Linux kernel, the following vulnerability has been resolved: tracing: Silence warning when chunk allocation fails in trace_pid_write Syzkaller trigger a fault injection warning: WARNING: CPU: 1 PID: 12326 at tracepoint_add_func+0xbfc/0xeb0 Modules linked in: CPU: 1 UID: 0 PID: 12326 Comm: syz.6.10325 Tainted: G U 6.14.0-rc5-syzkaller #0 Ta

CVE-2023-53456 [MEDIUM] CVE-2023-53456: In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Add length check In the Linux kernel, the following vulnerability has been resolved: scsi: qla4xxx: Add length check when parsing nlattrs There are three places that qla4xxx parses nlattrs: - qla4xxx_set_chap_entry() - qla4xxx_iface_set_param() - qla4xxx_sysfs_ddb_set_param() and each of them directly converts the nlattr to specific pointer of structure without length

CVE-2023-53496 [MEDIUM] CVE-2023-53496: In the Linux kernel, the following vulnerability has been resolved: x86/platform/uv: Use alternate In the Linux kernel, the following vulnerability has been resolved: x86/platform/uv: Use alternate source for socket to node data The UV code attempts to build a set of tables to allow it to do bidirectional socketnode lookups. But when nr_cpus is set to a smaller number than actually present, the cpu_to_node() mapping information for unused CPUs is not a

CVE-2022-50428 [MEDIUM] CWE-193 CVE-2022-50428: In the Linux kernel, the following vulnerability has been resolved: ext4: fix off-by-one errors in In the Linux kernel, the following vulnerability has been resolved: ext4: fix off-by-one errors in fast-commit block filling Due to several different off-by-one errors, or perhaps due to a late change in design that wasn't fully reflected in the code that was actually merged, there are several very strange constraints on how fast-commit blocks are

CVE-2023-53460 [MEDIUM] CWE-401 CVE-2023-53460: In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix memory leak in In the Linux kernel, the following vulnerability has been resolved: wifi: rtw88: fix memory leak in rtw_usb_probe() drivers/net/wireless/realtek/rtw88/usb.c:876 rtw_usb_probe() warn: 'hw' from ieee80211_alloc_hw() not released on lines: 811 Fix this by modifying return to a goto statement.

CVE-2025-39894 [MEDIUM] CVE-2025-39894: In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: do not In the Linux kernel, the following vulnerability has been resolved: netfilter: br_netfilter: do not check confirmed bit in br_nf_local_in() after confirm When send a broadcast packet to a tap device, which was added to a bridge, br_nf_local_in() is called to confirm the conntrack. If another conntrack with the same hash value is added to the hash table, w

CVE-2023-53513 [MEDIUM] CWE-674 CVE-2023-53513: In the Linux kernel, the following vulnerability has been resolved: nbd: fix incomplete validation In the Linux kernel, the following vulnerability has been resolved: nbd: fix incomplete validation of ioctl arg We tested and found an alarm caused by nbd_ioctl arg without verification. The UBSAN warning calltrace like below: UBSAN: Undefined behaviour in fs/buffer.c:1709:35 signed integer overflow: -9223372036854775808 - 1 cannot be represented

CVE-2023-53470 [MEDIUM] CWE-476 CVE-2023-53470: In the Linux kernel, the following vulnerability has been resolved: ionic: catch failure from devli In the Linux kernel, the following vulnerability has been resolved: ionic: catch failure from devlink_alloc Add a check for NULL on the alloc return. If devlink_alloc() fails and we try to use devlink_priv() on the NULL return, the kernel gets very unhappy and panics. With this fix, the driver load will still fail, but at least it won't panic the

CVE-2022-50457 [MEDIUM] CVE-2022-50457: In the Linux kernel, the following vulnerability has been resolved: mtd: core: Fix refcount error i In the Linux kernel, the following vulnerability has been resolved: mtd: core: Fix refcount error in del_mtd_device() del_mtd_device() will call of_node_put() to mtd_get_of_node(mtd), which is mtd->dev.of_node. However, memset(&mtd->dev, 0) is called before of_node_put(). As the result, of_node_put() won't do anything in del_mtd_device(), and causes the r

CVE-2022-50468 [MEDIUM] CVE-2022-50468: In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_usbpd_not In the Linux kernel, the following vulnerability has been resolved: platform/chrome: cros_usbpd_notify: Fix error handling in cros_usbpd_notify_init() The following WARNING message was given when rmmod cros_usbpd_notify: Unexpected driver unregister! WARNING: CPU: 0 PID: 253 at drivers/base/driver.c:270 driver_unregister+0x8a/0xb0 Modules linked in: cros

CVE-2023-53525 [MEDIUM] CWE-908 CVE-2023-53525: In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Allow UD qp_type to j In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Allow UD qp_type to join multicast only As for multicast: - The SIDR is the only mode that makes sense; - Besides PS_UDP, other port spaces like PS_IB is also allowed, as it is UD compatible. In this case qkey also needs to be set [1]. This patch allows only UD qp_type

CVE-2025-39927 [MEDIUM] CWE-362 CVE-2025-39927: In the Linux kernel, the following vulnerability has been resolved: ceph: fix race condition valida In the Linux kernel, the following vulnerability has been resolved: ceph: fix race condition validating r_parent before applying state Add validation to ensure the cached parent directory inode matches the directory info in MDS replies. This prevents client-side race conditions where concurrent operations (e.g. rename) cause r_parent to become sta

CVE-2023-53466 [MEDIUM] CWE-401 CVE-2023-53466: In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix memory In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7915: fix memory leak in mt7915_mcu_exit Always purge mcu skb queues in mt7915_mcu_exit routine even if mt7915_firmware_state fails.