Linux Kernel vulnerabilities

CVE-2022-50303 [HIGH] CWE-415 CVE-2022-50303: In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix double release In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: Fix double release compute pasid If kfd_process_device_init_vm returns failure after vm is converted to compute vm and vm->pasid set to compute pasid, KFD will not take pdd->drm_file reference. As a result, drm close file handler maybe called to release the compute pasid

CVE-2022-50300 [HIGH] CWE-416 CVE-2022-50300: In the Linux kernel, the following vulnerability has been resolved: btrfs: fix extent map use-after In the Linux kernel, the following vulnerability has been resolved: btrfs: fix extent map use-after-free when handling missing device in read_one_chunk Store the error code before freeing the extent_map. Though it's reference counted structure, in that function it's the first and last allocation so this would lead to a potential use-after-free. The

CVE-2022-50301 [HIGH] CWE-787 CVE-2022-50301: In the Linux kernel, the following vulnerability has been resolved: iommu/omap: Fix buffer overflow In the Linux kernel, the following vulnerability has been resolved: iommu/omap: Fix buffer overflow in debugfs There are two issues here: 1) The "len" variable needs to be checked before the very first write. Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a buffer overflow. 2) The snprintf() function returns the number of bytes

CVE-2022-50325 [HIGH] CWE-787 CVE-2022-50325: In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix potential In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: avs: Fix potential RX buffer overflow If an event caused firmware to return invalid RX size for LARGE_CONFIG_GET, memcpy_fromio() could end up copying too many bytes. Fix by utilizing min_t().

CVE-2023-53179 [HIGH] CWE-787 CVE-2023-53179: In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: add the missi In the Linux kernel, the following vulnerability has been resolved: netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c The missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can lead to the use of wrong `CIDR_POS(c)` for calculating array offsets, which can lead to integer underflow. As a result, it

CVE-2022-50258 [HIGH] CWE-787 CVE-2022-50258: In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential s In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() This patch fixes a stack-out-of-bounds read in brcmfmac that occurs when 'buf' that is not null-terminated is passed as an argument of strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmw

CVE-2023-53194 [HIGH] CWE-416 CVE-2023-53194: In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add length check in i In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: Add length check in indx_get_root This adds a length check to guarantee the retrieved index root is legit. [ 162.459513] BUG: KASAN: use-after-free in hdr_find_e.isra.0+0x10c/0x320 [ 162.460176] Read of size 2 at addr ffff8880037bca99 by task mount/243 [ 162.460851] [ 162

CVE-2022-50252 [HIGH] CWE-416 CVE-2022-50252: In the Linux kernel, the following vulnerability has been resolved: igb: Do not free q_vector unles In the Linux kernel, the following vulnerability has been resolved: igb: Do not free q_vector unless new one was allocated Avoid potential use-after-free condition under memory pressure. If the kzalloc() fails, q_vector will be freed but left in the original adapter->q_vector[v_idx] array position.

CVE-2023-53184 [HIGH] CWE-787 CVE-2023-53184: In the Linux kernel, the following vulnerability has been resolved: arm64/sme: Set new vector lengt In the Linux kernel, the following vulnerability has been resolved: arm64/sme: Set new vector length before reallocating As part of fixing the allocation of the buffer for SVE state when changing SME vector length we introduced an immediate reallocation of the SVE state, this is also done when changing the SVE vector length for consistency. Unfortun

CVE-2022-50256 [HIGH] CWE-416 CVE-2022-50256: In the Linux kernel, the following vulnerability has been resolved: drm/meson: remove drm bridges a In the Linux kernel, the following vulnerability has been resolved: drm/meson: remove drm bridges at aggregate driver unbind time drm bridges added by meson_encoder_hdmi_init and meson_encoder_cvbs_init were not manually removed at module unload time, which caused dangling references to freed memory to remain linked in the global bridge_list. When

CVE-2022-50320 [HIGH] CWE-787 CVE-2022-50320: In the Linux kernel, the following vulnerability has been resolved: ACPI: tables: FPDT: Don't call In the Linux kernel, the following vulnerability has been resolved: ACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys address On a Packard Bell Dot SC (Intel Atom N2600 model) there is a FPDT table which contains invalid physical addresses, with high bits set which fall outside the range of the CPU-s supported physical address range

CVE-2022-50279 [HIGH] CWE-125 CVE-2022-50279: In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: Fix global-out-o In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: Fix global-out-of-bounds bug in _rtl8812ae_phy_set_txpower_limit() There is a global-out-of-bounds reported by KASAN: BUG: KASAN: global-out-of-bounds in _rtl8812ae_eq_n_byte.part.0+0x3d/0x84 [rtl8821ae] Read of size 1 at addr ffffffffa0773c43 by task NetworkManager/

CVE-2023-53259 [HIGH] CWE-125 CVE-2023-53259: In the Linux kernel, the following vulnerability has been resolved: VMCI: check context->notify_pag In the Linux kernel, the following vulnerability has been resolved: VMCI: check context->notify_page after call to get_user_pages_fast() to avoid GPF The call to get_user_pages_fast() in vmci_host_setup_notify() can return NULL context->notify_page causing a GPF. To avoid GPF check if context->notify_page == NULL and return error if so. general pro

CVE-2023-53216 [HIGH] CVE-2023-53216: In the Linux kernel, the following vulnerability has been resolved: arm64: efi: Make efi_rt_lock a In the Linux kernel, the following vulnerability has been resolved: arm64: efi: Make efi_rt_lock a raw_spinlock Running a rt-kernel base on 6.2.0-rc3-rt1 on an Ampere Altra outputs the following: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46 in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 9, name: kworker/u320:0

CVE-2022-50283 [HIGH] CWE-416 CVE-2022-50283: In the Linux kernel, the following vulnerability has been resolved: mtd: core: add missing of_node_ In the Linux kernel, the following vulnerability has been resolved: mtd: core: add missing of_node_get() in dynamic partitions code This fixes unbalanced of_node_put(): [ 1.078910] 6 cmdlinepart partitions found on MTD device gpmi-nand [ 1.085116] Creating 6 MTD partitions on "gpmi-nand": [ 1.090181] 0x000000000000-0x000008000000 : "nandboot" [ 1.09

CVE-2022-50305 [HIGH] CWE-416 CVE-2022-50305: In the Linux kernel, the following vulnerability has been resolved: ASoC: sof_es8336: fix possible In the Linux kernel, the following vulnerability has been resolved: ASoC: sof_es8336: fix possible use-after-free in sof_es8336_remove() sof_es8336_remove() calls cancel_delayed_work(). However, that function does not wait until the work function finishes. This means that the callback function may still be running after the driver's remove function h

CVE-2023-53262 [HIGH] CVE-2023-53262: In the Linux kernel, the following vulnerability has been resolved: f2fs: fix scheduling while atom In the Linux kernel, the following vulnerability has been resolved: f2fs: fix scheduling while atomic in decompression path [ 16.945668][ C0] Call trace: [ 16.945678][ C0] dump_backtrace+0x110/0x204 [ 16.945706][ C0] dump_stack_lvl+0x84/0xbc [ 16.945735][ C0] __schedule_bug+0xb8/0x1ac [ 16.945756][ C0] __schedule+0x724/0xbdc [ 16.945778][ C0] schedule+0x154

CVE-2022-50239 [HIGH] CWE-125 CVE-2022-50239: In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom: fix writes in re In the Linux kernel, the following vulnerability has been resolved: cpufreq: qcom: fix writes in read-only memory region This commit fixes a kernel oops because of a write in some read-only memory: [ 9.068287] Unable to handle kernel write to read-only memory at virtual address ffff800009240ad8 ..snip.. [ 9.138790] Internal error: Oops: 9600004f [#

CVE-2023-53192 [HIGH] CWE-129 CVE-2023-53192: In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix nexthop hash size T In the Linux kernel, the following vulnerability has been resolved: vxlan: Fix nexthop hash size The nexthop code expects a 31 bit hash, such as what is returned by fib_multipath_hash() and rt6_multipath_hash(). Passing the 32 bit hash returned by skb_get_hash() can lead to problems related to the fact that 'int hash' is a negative number when the M

CVE-2025-39803 [HIGH] CWE-617 CVE-2025-39803: In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove WARN_ON In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove WARN_ON_ONCE() call from ufshcd_uic_cmd_compl() The UIC completion interrupt may be disabled while an UIC command is being processed. When the UIC completion interrupt is reenabled, an UIC interrupt is triggered and the WARN_ON_ONCE(!cmd) statement is hit. He