Linux Kernel vulnerabilities

CVE-2022-50269 [MEDIUM] CWE-401 CVE-2022-50269: In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Fix memory leak in vk In the Linux kernel, the following vulnerability has been resolved: drm/vkms: Fix memory leak in vkms_init() A memory leak was reported after the vkms module install failed. unreferenced object 0xffff88810bc28520 (size 16): comm "modprobe", pid 9662, jiffies 4298009455 (age 42.590s) hex dump (first 16 bytes): 01 01 00 64 81 88 ff ff 00 00 dc 0a 8

CVE-2022-50291 [MEDIUM] CVE-2022-50291: In the Linux kernel, the following vulnerability has been resolved: kcm: annotate data-races around In the Linux kernel, the following vulnerability has been resolved: kcm: annotate data-races around kcm->rx_psock kcm->rx_psock can be read locklessly in kcm_rfree(). Annotate the read and writes accordingly. We do the same for kcm->rx_wait in the following patch. syzbot reported: BUG: KCSAN: data-race in kcm_rfree / unreserve_rx_kcm write to 0xffff888

CVE-2022-50324 [MEDIUM] CWE-401 CVE-2022-50324: In the Linux kernel, the following vulnerability has been resolved: mtd: maps: pxa2xx-flash: fix me In the Linux kernel, the following vulnerability has been resolved: mtd: maps: pxa2xx-flash: fix memory leak in probe Free 'info' upon remapping error to avoid a memory leak. [: Reword the commit log]

CVE-2023-53236 [MEDIUM] CVE-2023-53236: In the Linux kernel, the following vulnerability has been resolved: iommufd: Do not corrupt the pfn In the Linux kernel, the following vulnerability has been resolved: iommufd: Do not corrupt the pfn list when doing batch carry If batch->end is 0 then setting npfns[0] before computing the new value of pfns will fail to adjust the pfn and result in various page accounting corruptions. It should be ordered after. This seems to result in various kinds of

CVE-2023-53163 [MEDIUM] CVE-2023-53163: In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: don't hold ni_lock wh In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: don't hold ni_lock when calling truncate_setsize() syzbot is reporting hung task at do_user_addr_fault() [1], for there is a silent deadlock between PG_locked bit and ni_lock lock. Since filemap_update_page() calls filemap_read_folio() after calling folio_trylock() which will s

CVE-2022-50313 [MEDIUM] CVE-2022-50313: In the Linux kernel, the following vulnerability has been resolved: erofs: fix order >= MAX_ORDER w In the Linux kernel, the following vulnerability has been resolved: erofs: fix order >= MAX_ORDER warning due to crafted negative i_size As syzbot reported [1], the root cause is that i_size field is a signed type, and negative i_size is also less than EROFS_BLKSIZ. As a consequence, it's handled as fast symlink unexpectedly. Let's fall back to the gener

CVE-2022-50272 [MEDIUM] CWE-476 CVE-2022-50272: In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: az6027: fix nul In the Linux kernel, the following vulnerability has been resolved: media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() Wei Chen reports a kernel bug as blew: general protection fault, probably for non-canonical address KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] ... Call Trace: __i2c_transfer+0x77e/0x1930

CVE-2023-53166 [MEDIUM] CWE-362 CVE-2023-53166: In the Linux kernel, the following vulnerability has been resolved: power: supply: bq25890: Fix ext In the Linux kernel, the following vulnerability has been resolved: power: supply: bq25890: Fix external_power_changed race bq25890_charger_external_power_changed() dereferences bq->charger, which gets sets in bq25890_power_supply_init() like this: bq->charger = devm_power_supply_register(bq->dev, &bq->desc, &psy_cfg); As soon as devm_power_supp

CVE-2022-50296 [MEDIUM] CVE-2022-50296: In the Linux kernel, the following vulnerability has been resolved: UM: cpuinfo: Fix a warning for In the Linux kernel, the following vulnerability has been resolved: UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected, cpu_max_bits_warn() generates a runtime warning similar as below while we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit) instead of NR_CPUS t

CVE-2022-50326 [MEDIUM] CWE-401 CVE-2022-50326: In the Linux kernel, the following vulnerability has been resolved: media: airspy: fix memory leak In the Linux kernel, the following vulnerability has been resolved: media: airspy: fix memory leak in airspy probe The commit ca9dc8d06ab6 ("media: airspy: respect the DMA coherency rules") moves variable buf from stack to heap, however, it only frees buf in the error handling code, missing deallocation in the success path. Fix this by freeing buf

CVE-2022-50334 [MEDIUM] CWE-476 CVE-2022-50334: In the Linux kernel, the following vulnerability has been resolved: hugetlbfs: fix null-ptr-deref i In the Linux kernel, the following vulnerability has been resolved: hugetlbfs: fix null-ptr-deref in hugetlbfs_parse_param() Syzkaller reports a null-ptr-deref bug as follows: KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:hugetlbfs_parse_param+0x1dd/0x8e0 fs/hugetlbfs/inode.c:1380 [...] Call Trace: vfs_parse_fs_

CVE-2025-39801 [MEDIUM] CWE-617 CVE-2025-39801: In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for d In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: Remove WARN_ON for device endpoint command timeouts This commit addresses a rarely observed endpoint command timeout which causes kernel panic due to warn when 'panic_on_warn' is enabled and unnecessary call trace prints when 'panic_on_warn' is disabled. It is seen duri

CVE-2022-50298 [MEDIUM] CVE-2022-50298: In the Linux kernel, the following vulnerability has been resolved: slimbus: qcom-ngd: cleanup in p In the Linux kernel, the following vulnerability has been resolved: slimbus: qcom-ngd: cleanup in probe error path Add proper error path in probe() to cleanup resources previously acquired/allocated to fix warnings visible during probe deferral: notifier callback qcom_slim_ngd_ssr_notify already registered WARNING: CPU: 6 PID: 70 at kernel/notifier.c:28

CVE-2023-53171 [MEDIUM] CVE-2023-53171: In the Linux kernel, the following vulnerability has been resolved: vfio/type1: prevent underflow o In the Linux kernel, the following vulnerability has been resolved: vfio/type1: prevent underflow of locked_vm via exec() When a vfio container is preserved across exec, the task does not change, but it gets a new mm with locked_vm=0, and loses the count from existing dma mappings. If the user later unmaps a dma mapping, locked_vm underflows to a large un

CVE-2023-53188 [MEDIUM] CWE-362 CVE-2023-53188: In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix race on p In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix race on port output assume the following setup on a single machine: 1. An openvswitch instance with one bridge and default flows 2. two network namespaces "server" and "client" 3. two ovs interfaces "server" and "client" on the bridge 4. for each ovs interfac

CVE-2022-50337 [MEDIUM] CVE-2022-50337: In the Linux kernel, the following vulnerability has been resolved: ocxl: fix pci device refcount l In the Linux kernel, the following vulnerability has been resolved: ocxl: fix pci device refcount leak when calling get_function_0() get_function_0() calls pci_get_domain_bus_and_slot(), as comment says, it returns a pci device with refcount increment, so after using it, pci_dev_put() needs be called. Get the device reference when get_function_0() is not

CVE-2023-53242 [MEDIUM] CVE-2023-53242: In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/hisi: Drop seco In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/hisi: Drop second sensor hi3660 The commit 74c8e6bffbe1 ("driver core: Add __alloc_size hint to devm allocators") exposes a panic "BRK handler: Fatal exception" on the hi3660_thermal_probe funciton. This is because the function allocates memory for only one sensors array e

CVE-2023-53209 [MEDIUM] CWE-476 CVE-2023-53209: In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: Fix possi In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: Fix possible NULL dereference In a call to mac80211_hwsim_select_tx_link() the sta pointer might be NULL, thus need to check that it is not NULL before accessing it.

CVE-2023-53195 [MEDIUM] CWE-401 CVE-2023-53195: In the Linux kernel, the following vulnerability has been resolved: mlxsw: minimal: fix potential m In the Linux kernel, the following vulnerability has been resolved: mlxsw: minimal: fix potential memory leak in mlxsw_m_linecards_init The line cards array is not freed in the error path of mlxsw_m_linecards_init(), which can lead to a memory leak. Fix by freeing the array in the error path, thereby making the error path identical to mlxsw_m_line

CVE-2022-50242 [MEDIUM] CWE-401 CVE-2022-50242: In the Linux kernel, the following vulnerability has been resolved: drivers: net: qlcnic: Fix poten In the Linux kernel, the following vulnerability has been resolved: drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp needs to be freed.