Linux Kernel vulnerabilities

CVE-2022-50408 [HIGH] CWE-416 CVE-2022-50408: In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-f In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() > ret = brcmf_proto_tx_queue_data(drvr, ifp->ifidx, skb); may be schedule, and then complete before the line > ndev->stats.tx_bytes += skb->len; [ 46.912801] ======================================================

CVE-2023-53426 [HIGH] CWE-416 CVE-2023-53426: In the Linux kernel, the following vulnerability has been resolved: xsk: Fix xsk_diag use-after-fre In the Linux kernel, the following vulnerability has been resolved: xsk: Fix xsk_diag use-after-free error during socket cleanup Fix a use-after-free error that is possible if the xsk_diag interface is used after the socket has been unbound from the device. This can happen either due to the socket being closed or the device disappearing. In the earl

CVE-2022-50394 [HIGH] CWE-125 CVE-2022-50394: In the Linux kernel, the following vulnerability has been resolved: i2c: ismt: Fix an out-of-bounds In the Linux kernel, the following vulnerability has been resolved: i2c: ismt: Fix an out-of-bounds bug in ismt_access() When the driver does not check the data from the user, the variable 'data->block[0]' may be very large to cause an out-of-bounds bug. The following log can reveal it: [ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20

CVE-2023-53374 [HIGH] CWE-416 CVE-2023-53374: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fail SCO/I In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_conn: fail SCO/ISO via hci_conn_failed if ACL gone early Not calling hci_(dis)connect_cfm before deleting conn referred to by a socket generally results to use-after-free. When cleaning up SCO connections when the parent ACL is deleted too early, use hci_conn_failed

CVE-2022-50384 [HIGH] CWE-416 CVE-2022-50384: In the Linux kernel, the following vulnerability has been resolved: staging: vme_user: Fix possible In the Linux kernel, the following vulnerability has been resolved: staging: vme_user: Fix possible UAF in tsi148_dma_list_add Smatch report warning as follows: drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn: '&entry->list' not removed from list In tsi148_dma_list_add(), the error path "goto err_dma" will not remove entry->l

CVE-2023-53446 [HIGH] CWE-416 CVE-2023-53446: In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Disable ASPM on MFD f In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free Struct pcie_link_state->downstream is a pointer to the pci_dev of function 0. Previously we retained that pointer when removing function 0, and subsequent ASPM policy changes dereferenced it, resulting in a use-a

CVE-2023-53376 [HIGH] CWE-125 CVE-2023-53376: In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Use number of bit In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Use number of bits to manage bitmap sizes To allocate bitmaps, the mpi3mr driver calculates sizes of bitmaps using byte as unit. However, bitmap helper functions assume that bitmaps are allocated using unsigned long as unit. This gap causes memory access beyond the bit

CVE-2022-50413 [HIGH] CWE-416 CVE-2022-50413: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix use-after-f In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix use-after-free We've already freed the assoc_data at this point, so need to use another copy of the AP (MLD) address instead.

CVE-2023-53377 [HIGH] CWE-416 CVE-2023-53377: In the Linux kernel, the following vulnerability has been resolved: cifs: prevent use-after-free by In the Linux kernel, the following vulnerability has been resolved: cifs: prevent use-after-free by freeing the cfile later In smb2_compound_op we have a possible use-after-free which can cause hard to debug problems later on. This was revealed during stress testing with KASAN enabled kernel. Fixing it by moving the cfile free call to a few lines b

CVE-2022-50419 [HIGH] CWE-415 CVE-2022-50419: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sysfs: Fix attem In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times device_add shall not be called multiple times as stated in its documentation: 'Do not call this routine or device_register() more than once for any device structure' Syzkaller reports a bug as follows [1]: ----

CVE-2022-50401 [HIGH] CWE-415 CVE-2022-50401: In the Linux kernel, the following vulnerability has been resolved: nfsd: under NFSv4.1, fix double In the Linux kernel, the following vulnerability has been resolved: nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure On error situation `clp->cl_cb_conn.cb_xprt` should not be given a reference to the xprt otherwise both client cleanup and the error handling path of the caller call to put it. Better to delay handing over the refere

CVE-2022-50417 [HIGH] CWE-416 CVE-2022-50417: In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix GEM handle cr In the Linux kernel, the following vulnerability has been resolved: drm/panfrost: Fix GEM handle creation ref-counting panfrost_gem_create_with_handle() previously returned a BO but with the only reference being from the handle, which user space could in theory guess and release, causing a use-after-free. Additionally if the call to panfrost_gem_map

CVE-2023-53398 [HIGH] CWE-416 CVE-2023-53398: In the Linux kernel, the following vulnerability has been resolved: mlx5: fix possible ptp queue fi In the Linux kernel, the following vulnerability has been resolved: mlx5: fix possible ptp queue fifo use-after-free Fifo indexes are not checked during pop operations and it leads to potential use-after-free when poping from empty queue. Such case was possible during re-sync action. WARN_ON_ONCE covers future cases. There were out-of-order cqe spo

CVE-2023-53432 [HIGH] CWE-416 CVE-2023-53432: In the Linux kernel, the following vulnerability has been resolved: firewire: net: fix use after fr In the Linux kernel, the following vulnerability has been resolved: firewire: net: fix use after free in fwnet_finish_incoming_packet() The netif_rx() function frees the skb so we can't dereference it to save the skb->len.

CVE-2023-53392 [HIGH] CVE-2023-53392: In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix kernel In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix kernel panic during warm reset During warm reset device->fw_client is set to NULL. If a bus driver is registered after this NULL setting and before new firmware clients are enumerated by ISHTP, kernel panic will result in the function ishtp_cl_bus_match(). This is bec

CVE-2022-50378 [HIGH] CWE-416 CVE-2022-50378: In the Linux kernel, the following vulnerability has been resolved: drm/meson: reorder driver deini In the Linux kernel, the following vulnerability has been resolved: drm/meson: reorder driver deinit sequence to fix use-after-free bug Unloading the driver triggers the following KASAN warning: [ +0.006275] ============================================================= [ +0.000029] BUG: KASAN: use-after-free in __list_del_entry_valid+0xe0/0x1a0 [ +

CVE-2023-53395 [HIGH] CWE-129 CVE-2023-53395: In the Linux kernel, the following vulnerability has been resolved: ACPICA: Add AML_NO_OPERAND_RESO In the Linux kernel, the following vulnerability has been resolved: ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer ACPICA commit 90310989a0790032f5a0140741ff09b545af4bc5 According to the ACPI specification 19.6.134, no argument is required to be passed for ASL Timer instruction. For taking care of no argument, AML_NO_OPERAND_RESOLVE flag is added

CVE-2023-53420 [HIGH] CWE-125 CVE-2023-53420: In the Linux kernel, the following vulnerability has been resolved: ntfs: Fix panic about slab-out- In the Linux kernel, the following vulnerability has been resolved: ntfs: Fix panic about slab-out-of-bounds caused by ntfs_listxattr() Here is a BUG report from syzbot: BUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline] BUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710 Read of size 1 at add

CVE-2023-53372 [HIGH] CWE-787 CVE-2023-53372: In the Linux kernel, the following vulnerability has been resolved: sctp: fix a potential overflow In the Linux kernel, the following vulnerability has been resolved: sctp: fix a potential overflow in sctp_ifwdtsn_skip Currently, when traversing ifwdtsn skips with _sctp_walk_ifwdtsn, it only checks the pos against the end of the chunk. However, the data left for the last pos may be < sizeof(struct sctp_ifwdtsn_skip), and dereference it as struct s

CVE-2022-50411 [HIGH] CWE-416 CVE-2022-50411: In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix error code path in In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix error code path in acpi_ds_call_control_method() A use-after-free in acpi_ps_parse_aml() after a failing invocaion of acpi_ds_call_control_method() is reported by KASAN [1] and code inspection reveals that next_walk_state pushed to the thread by acpi_ds_create_walk_state(