Linux Kernel vulnerabilities

CVE-2022-50328 [HIGH] CWE-416 CVE-2022-50328: In the Linux kernel, the following vulnerability has been resolved: jbd2: fix potential use-after-f In the Linux kernel, the following vulnerability has been resolved: jbd2: fix potential use-after-free in jbd2_fc_wait_bufs In 'jbd2_fc_wait_bufs' use 'bh' after put buffer head reference count which may lead to use-after-free. So judge buffer if uptodate before put buffer head reference count.

CVE-2022-50245 [HIGH] CWE-416 CVE-2022-50245: In the Linux kernel, the following vulnerability has been resolved: rapidio: fix possible UAF when In the Linux kernel, the following vulnerability has been resolved: rapidio: fix possible UAF when kfifo_alloc() fails If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free priv. But priv is still in the chdev->file_list, then list traversal may cause UAF. This fixes the following smatch warning: drivers/rapidio/devices/rio_mport_

CVE-2022-50248 [HIGH] CWE-415 CVE-2022-50248: In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix double In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix double free on tx path. We see kernel crashes and lockups and KASAN errors related to ax210 firmware crashes. One of the KASAN dumps pointed at the tx path, and it appears there is indeed a way to double-free an skb. If iwl_mvm_tx_skb_sta returns non-zero, th

CVE-2023-53238 [HIGH] CWE-125 CVE-2023-53238: In the Linux kernel, the following vulnerability has been resolved: phy: hisilicon: Fix an out of b In the Linux kernel, the following vulnerability has been resolved: phy: hisilicon: Fix an out of bounds check in hisi_inno_phy_probe() The size of array 'priv->ports[]' is INNO_PHY_PORT_NUM. In the for loop, 'i' is used as the index for array 'priv->ports[]' with a check (i > INNO_PHY_PORT_NUM) which indicates that INNO_PHY_PORT_NUM is allowed val

CVE-2022-50234 [HIGH] CVE-2022-50234: In the Linux kernel, the following vulnerability has been resolved: io_uring/af_unix: defer registe In the Linux kernel, the following vulnerability has been resolved: io_uring/af_unix: defer registered files gc to io_uring release Instead of putting io_uring's registered files in unix_gc() we want it to be done by io_uring itself. The trick here is to consider io_uring registered files for cycle detection but not actually putting them down. Because io_ur

CVE-2022-50240 [HIGH] CWE-416 CVE-2022-50240: In the Linux kernel, the following vulnerability has been resolved: android: binder: stop saving a In the Linux kernel, the following vulnerability has been resolved: android: binder: stop saving a pointer to the VMA Do not record a pointer to a VMA outside of the mmap_lock for later use. This is unsafe and there are a number of failure paths *after* the recorded VMA pointer may be freed during setup. There is no callback to the driver to clear th

CVE-2022-50310 [HIGH] CWE-416 CVE-2022-50310: In the Linux kernel, the following vulnerability has been resolved: ip6mr: fix UAF issue in ip6mr_s In the Linux kernel, the following vulnerability has been resolved: ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed If the initialization fails in calling addrconf_init_net(), devconf_all is the pointer that has been released. Then ip6mr_sk_done() is called to release the net, accessing devconf->mc_forwarding directly causes

CVE-2023-53222 [HIGH] CWE-125 CVE-2023-53222: In the Linux kernel, the following vulnerability has been resolved: jfs: jfs_dmap: Validate db_l2nb In the Linux kernel, the following vulnerability has been resolved: jfs: jfs_dmap: Validate db_l2nbperpage while mounting In jfs_dmap.c at line 381, BLKTODMAP is used to get a logical block number inside dbFree(). db_l2nbperpage, which is the log2 number of blocks per page, is passed as an argument to BLKTODMAP which uses it for shifting. Syzbot re

CVE-2023-53214 [HIGH] CWE-787 CVE-2023-53214: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential me In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid potential memory corruption in __update_iostat_latency() Add iotype sanity check to avoid potential memory corruption. This is to fix the compile error below: fs/f2fs/iostat.c:231 __update_iostat_latency() error: buffer overflow 'io_lat->peak_lat[type]' 3 type; 2

CVE-2023-53218 [HIGH] CVE-2023-53218: In the Linux kernel, the following vulnerability has been resolved: rxrpc: Make it so that a waitin In the Linux kernel, the following vulnerability has been resolved: rxrpc: Make it so that a waiting process can be aborted When sendmsg() creates an rxrpc call, it queues it to wait for a connection and channel to be assigned and then waits before it can start shovelling data as the encrypted DATA packet content includes a summary of the connection paramet

CVE-2025-39802 [HIGH] CVE-2025-39802: In the Linux kernel, the following vulnerability has been resolved: lib/crypto: arm/poly1305: Fix r In the Linux kernel, the following vulnerability has been resolved: lib/crypto: arm/poly1305: Fix register corruption in no-SIMD contexts Restore the SIMD usability check that was removed by commit 773426f4771b ("crypto: arm/poly1305 - Add block-only interface"). This safety check is cheap and is well worth eliminating a footgun. While the Poly1305 functio

CVE-2022-50255 [HIGH] CWE-125 CVE-2022-50255: In the Linux kernel, the following vulnerability has been resolved: tracing: Fix reading strings fr In the Linux kernel, the following vulnerability has been resolved: tracing: Fix reading strings from synthetic events The follow commands caused a crash: # cd /sys/kernel/tracing # echo 's:open char file[]' > dynamic_events # echo 'hist:keys=common_pid:file=filename:onchange($file).trace(open,$file)' > events/syscalls/sys_enter_openat/trigger' # e

CVE-2022-50307 [HIGH] CWE-125 CVE-2022-50307: In the Linux kernel, the following vulnerability has been resolved: s390/cio: fix out-of-bounds acc In the Linux kernel, the following vulnerability has been resolved: s390/cio: fix out-of-bounds access on cio_ignore free The channel-subsystem-driver scans for newly available devices whenever device-IDs are removed from the cio_ignore list using a command such as: echo free >/proc/cio_ignore Since an I/O device scan might interfer with running I

CVE-2022-50333 [HIGH] CWE-125 CVE-2022-50333: In the Linux kernel, the following vulnerability has been resolved: fs: jfs: fix shift-out-of-bound In the Linux kernel, the following vulnerability has been resolved: fs: jfs: fix shift-out-of-bounds in dbDiscardAG This should be applied to most URSAN bugs found recently by syzbot, by guarding the dbMount. As syzbot feeding rubbish into the bmap descriptor.

CVE-2023-53252 [HIGH] CWE-416 CVE-2023-53252: In the Linux kernel, the following vulnerability has been resolved: Bluetooth: use RCU for hci_conn In the Linux kernel, the following vulnerability has been resolved: Bluetooth: use RCU for hci_conn_params and iterate safely in hci_sync hci_update_accept_list_sync iterates over hdev->pend_le_conns and hdev->pend_le_reports, and waits for controller events in the loop body, without holding hdev lock. Meanwhile, these lists and the items may be mo

CVE-2023-53205 [HIGH] CWE-787 CVE-2023-53205: In the Linux kernel, the following vulnerability has been resolved: KVM: s390/diag: fix racy access In the Linux kernel, the following vulnerability has been resolved: KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler We do check for target CPU == -1, but this might change at the time we are going to use it. Hold the physical target CPU in a local variable to avoid out-of-bound accesses to the cpu arrays.

CVE-2022-50270 [HIGH] CVE-2022-50270: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix the assign logic of i In the Linux kernel, the following vulnerability has been resolved: f2fs: fix the assign logic of iocb commit 18ae8d12991b ("f2fs: show more DIO information in tracepoint") introduces iocb field in 'f2fs_direct_IO_enter' trace event And it only assigns the pointer and later it accesses its field in trace print log. Unable to handle kernel paging request at

CVE-2022-50306 [HIGH] CWE-125 CVE-2022-50306: In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential out of boun In the Linux kernel, the following vulnerability has been resolved: ext4: fix potential out of bound read in ext4_fc_replay_scan() For scan loop must ensure that at least EXT4_FC_TAG_BASE_LEN space. If remain space less than EXT4_FC_TAG_BASE_LEN which will lead to out of bound read when mounting corrupt file system image. ADD_RANGE/HEAD/TAIL is need

CVE-2023-53215 [HIGH] CVE-2023-53215: In the Linux kernel, the following vulnerability has been resolved: sched/fair: Don't balance task In the Linux kernel, the following vulnerability has been resolved: sched/fair: Don't balance task to its current running CPU We've run into the case that the balancer tries to balance a migration disabled task and trigger the warning in set_task_cpu() like below: ------------[ cut here ]------------ WARNING: CPU: 7 PID: 0 at kernel/sched/core.c:3115 set_ta

CVE-2023-53148 [HIGH] CWE-415 CVE-2023-53148: In the Linux kernel, the following vulnerability has been resolved: igb: Fix igb_down hung on surpr In the Linux kernel, the following vulnerability has been resolved: igb: Fix igb_down hung on surprise removal In a setup where a Thunderbolt hub connects to Ethernet and a display through USB Type-C, users may experience a hung task timeout when they remove the cable between the PC and the Thunderbolt hub. This is because the igb_down function is c