Linux Kernel vulnerabilities

CVE-2023-53339 [MEDIUM] CWE-617 CVE-2023-53339: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix BUG_ON condition in In the Linux kernel, the following vulnerability has been resolved: btrfs: fix BUG_ON condition in btrfs_cancel_balance Pausing and canceling balance can race to interrupt balance lead to BUG_ON panic in btrfs_cancel_balance. The BUG_ON condition in btrfs_cancel_balance does not take this race scenario into account. However, the race condition has

CVE-2023-53368 [MEDIUM] CWE-362 CVE-2023-53368: In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race issue between In the Linux kernel, the following vulnerability has been resolved: tracing: Fix race issue between cpu buffer write and swap Warning happened in rb_end_commit() at code: if (RB_WARN_ON(cpu_buffer, !local_read(&cpu_buffer->committing))) WARNING: CPU: 0 PID: 139 at kernel/trace/ring_buffer.c:3142 rb_commit+0x402/0x4a0 Call Trace: ring_buffer_unloc

CVE-2023-53344 [MEDIUM] CWE-908 CVE-2023-53344: In the Linux kernel, the following vulnerability has been resolved: can: bcm: bcm_tx_setup(): fix K In the Linux kernel, the following vulnerability has been resolved: can: bcm: bcm_tx_setup(): fix KMSAN uninit-value in vfs_write Syzkaller reported the following issue: BUG: KMSAN: uninit-value in aio_rw_done fs/aio.c:1520 [inline] BUG: KMSAN: uninit-value in aio_write+0x899/0x950 fs/aio.c:1600 aio_rw_done fs/aio.c:1520 [inline] aio_write+0x899/

CVE-2023-53353 [MEDIUM] CWE-401 CVE-2023-53353: In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: postpone mem_ In the Linux kernel, the following vulnerability has been resolved: accel/habanalabs: postpone mem_mgr IDR destruction to hpriv_release() The memory manager IDR is currently destroyed when user releases the file descriptor. However, at this point the user context might be still held, and memory buffers might be still in use. Later on, calls to rel

CVE-2023-53362 [MEDIUM] CVE-2023-53362: In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: don't assume child In the Linux kernel, the following vulnerability has been resolved: bus: fsl-mc: don't assume child devices are all fsl-mc devices Changes in VFIO caused a pseudo-device to be created as child of fsl-mc devices causing a crash [1] when trying to bind a fsl-mc device to VFIO. Fix this by checking the device type when enumerating fsl-mc child devices. [1]

CVE-2022-50363 [MEDIUM] CWE-416 CVE-2022-50363: In the Linux kernel, the following vulnerability has been resolved: skmsg: pass gfp argument to all In the Linux kernel, the following vulnerability has been resolved: skmsg: pass gfp argument to alloc_sk_msg() syzbot found that alloc_sk_msg() could be called from a non sleepable context. sk_psock_verdict_recv() uses rcu_read_lock() protection. We need the callers to pass a gfp_t argument to avoid issues. syzbot report was: BUG: sleeping func

CVE-2022-50372 [MEDIUM] CWE-401 CVE-2022-50372: In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory leak when buil In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory leak when build ntlmssp negotiate blob failed There is a memory leak when mount cifs: unreferenced object 0xffff888166059600 (size 448): comm "mount.cifs", pid 51391, jiffies 4295596373 (age 330.596s) hex dump (first 32 bytes): fe 53 4d 42 40 00 00 00 00 00 00 00

CVE-2022-50357 [MEDIUM] CWE-401 CVE-2022-50357: In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: fix some leaks In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: fix some leaks in probe The dwc3_get_properties() function calls: dwc->usb_psy = power_supply_get_by_name(usb_psy_name); so there is some additional clean up required on these error paths.

CVE-2022-50365 [MEDIUM] CVE-2022-50365: In the Linux kernel, the following vulnerability has been resolved: skbuff: Account for tail adjust In the Linux kernel, the following vulnerability has been resolved: skbuff: Account for tail adjustment during pull operations Extending the tail can have some unexpected side effects if a program uses a helper like BPF_FUNC_skb_pull_data to read partial content beyond the head skb headlen when all the skbs in the gso frag_list are linear with no head_fra

CVE-2022-50359 [MEDIUM] CWE-476 CVE-2022-50359: In the Linux kernel, the following vulnerability has been resolved: media: cx88: Fix a null-ptr-der In the Linux kernel, the following vulnerability has been resolved: media: cx88: Fix a null-ptr-deref bug in buffer_prepare() When the driver calls cx88_risc_buffer() to prepare the buffer, the function call may fail, resulting in a empty buffer and null-ptr-deref later in buffer_queue(). The following log can reveal it: [ 41.822762] general pro

CVE-2023-53346 [MEDIUM] CWE-401 CVE-2023-53346: In the Linux kernel, the following vulnerability has been resolved: kernel/fail_function: fix memor In the Linux kernel, the following vulnerability has been resolved: kernel/fail_function: fix memory leak with using debugfs_lookup() When calling debugfs_lookup() the result must have dput() called on it, otherwise the memory will leak over time. To make things simpler, just call debugfs_lookup_and_remove() instead which handles all of the logic

CVE-2023-53349 [MEDIUM] CWE-401 CVE-2023-53349: In the Linux kernel, the following vulnerability has been resolved: media: ov2740: Fix memleak in o In the Linux kernel, the following vulnerability has been resolved: media: ov2740: Fix memleak in ov2740_init_controls() There is a kmemleak when testing the media/i2c/ov2740.c with bpf mock device: unreferenced object 0xffff8881090e19e0 (size 16): comm "51-i2c-ov2740", pid 278, jiffies 4294781584 (age 23.613s) hex dump (first 16 bytes): 00 f3 7c

CVE-2023-53342 [MEDIUM] CVE-2023-53342: In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix han In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix handling IPv4 routes with nhid Fix handling IPv4 routes referencing a nexthop via its id by replacing calls to fib_info_nh() with fib_info_nhc(). Trying to add an IPv4 route referencing a nextop via nhid: $ ip link set up swp5 $ ip a a 10.0.0.1/24 dev swp5 $

CVE-2022-50360 [MEDIUM] CVE-2022-50360: In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: fix aux-bus EP life In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: fix aux-bus EP lifetime Device-managed resources allocated post component bind must be tied to the lifetime of the aggregate DRM device or they will not necessarily be released when binding of the aggregate device is deferred. This can lead resource leaks or failure to bind t

CVE-2023-53322 [HIGH] CWE-416 CVE-2023-53322: In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Wait for io retu In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Wait for io return on terminate rport System crash due to use after free. Current code allows terminate_rport_io to exit before making sure all IOs has returned. For FCP-2 device, IO's can hang on in HW because driver has not tear down the session in FW at first sign

CVE-2023-53274 [HIGH] CWE-787 CVE-2023-53274: In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: mt8183: Add back In the Linux kernel, the following vulnerability has been resolved: clk: mediatek: mt8183: Add back SSPM related clocks This reverts commit 860690a93ef23b567f781c1b631623e27190f101. On the MT8183, the SSPM related clocks were removed claiming a lack of usage. This however causes some issues when the driver was converted to the new simple-probe mech

CVE-2023-53316 [HIGH] CWE-416 CVE-2023-53316: In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: Free resources afte In the Linux kernel, the following vulnerability has been resolved: drm/msm/dp: Free resources after unregistering them The DP component's unbind operation walks through the submodules to unregister and clean things up. But if the unbind happens because the DP controller itself is being removed, all the memory for those submodules has just been free

CVE-2025-39824 [HIGH] CWE-416 CVE-2025-39824: In the Linux kernel, the following vulnerability has been resolved: HID: asus: fix UAF via HID_CLAI In the Linux kernel, the following vulnerability has been resolved: HID: asus: fix UAF via HID_CLAIMED_INPUT validation After hid_hw_start() is called hidinput_connect() will eventually be called to set up the device with the input layer since the HID_CONNECT_DEFAULT connect mask is used. During hidinput_connect() all input and output reports are pr

CVE-2023-53282 [HIGH] CWE-416 CVE-2023-53282: In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix use-after-free In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix use-after-free KFENCE violation during sysfs firmware write During the sysfs firmware write process, a use-after-free read warning is logged from the lpfc_wr_object() routine: BUG: KFENCE: use-after-free read in lpfc_wr_object+0x235/0x310 [lpfc] Use-after-free read a

CVE-2023-53333 [HIGH] CWE-125 CVE-2023-53333: In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: dccp: cop In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: dccp: copy entire header to stack buffer, not just basic one Eric Dumazet says: nf_conntrack_dccp_packet() has an unique: dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &_dh); And nothing more is 'pulled' from the packet, depending on the content. dh->dcc