Filtered by vendor Linux
Subscribe
Total
15226 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-50291 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
kcm: annotate data-races around kcm->rx_psock
kcm->rx_psock can be read locklessly in kcm_rfree().
Annotate the read and writes accordingly.
We do the same for kcm->rx_wait in the following patch.
syzbot reported:
BUG: KCSAN: data-race in kcm_rfree / unreserve_rx_kcm
write to 0xffff888123d827b8 of 8 bytes by task 2758 on cpu 1:
unreserve_rx_kcm+0x72/0x1f0 net/kcm/kcmsock.c:313
kcm_rcv_strparser+0x2b5/0x3a0 net/kcm/kcmsock.c ...
Show More |
|||||
| CVE-2022-50292 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: fix bridge lifetime
Device-managed resources allocated post component bind must be tied to
the lifetime of the aggregate DRM device or they will not necessarily be
released when binding of the aggregate device is deferred.
This can lead resource leaks or failure to bind the aggregate device
when binding is later retried and a second attempt to allocate the
resources is made.
For the DP bridges, previously allocat ...
Show More |
|||||
| CVE-2022-50293 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
btrfs: do not BUG_ON() on ENOMEM when dropping extent items for a range
If we get -ENOMEM while dropping file extent items in a given range, at
btrfs_drop_extents(), due to failure to allocate memory when attempting to
increment the reference count for an extent or drop the reference count,
we handle it with a BUG_ON(). This is excessive, instead we can simply
abort the transaction and return the error to the caller. In fact m ...
Show More |
|||||
| CVE-2022-50295 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
io_uring/msg_ring: Fix NULL pointer dereference in io_msg_send_fd()
Syzkaller produced the below call trace:
BUG: KASAN: null-ptr-deref in io_msg_ring+0x3cb/0x9f0
Write of size 8 at addr 0000000000000070 by task repro/16399
CPU: 0 PID: 16399 Comm: repro Not tainted 6.1.0-rc1 #28
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7
Call Trace:
<TASK>
dump_stack_lvl+0xcd/0x134
? io_msg_ring+0x3cb ...
Show More |
|||||
| CVE-2025-13721 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-04 | N/A | 7.5 HIGH |
|
Race in v8 in Google Chrome prior to 143.0.7499.41 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
|
|||||
| CVE-2025-13720 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-04 | N/A | 8.8 HIGH |
|
Bad cast in Loader in Google Chrome prior to 143.0.7499.41 allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)
|
|||||
| CVE-2025-13640 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2025-12-04 | N/A | 3.5 LOW |
|
Inappropriate implementation in Passwords in Google Chrome prior to 143.0.7499.41 allowed a local attacker to bypass authentication via physical access to the device. (Chromium security severity: Low)
|
|||||
| CVE-2025-62189 | 3 Linux, Microsoft, Secuavail | 3 Linux Kernel, Windows, Logstare Collector | 2025-12-04 | N/A | 4.3 MEDIUM |
|
LogStare Collector contains an incorrect authorization vulnerability in UserRegistration. If exploited, a non-administrative user may create a new user account by sending a crafted HTTP request.
|
|||||
| CVE-2022-50296 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected,
cpu_max_bits_warn() generates a runtime warning similar as below while
we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit)
instead of NR_CPUS to iterate CPUs.
[ 3.052463] ------------[ cut here ]------------
[ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 sh ...
Show More |
|||||
| CVE-2022-50297 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: ath9k: verify the expected usb_endpoints are present
The bug arises when a USB device claims to be an ATH9K but doesn't
have the expected endpoints. (In this case there was an interrupt
endpoint where the driver expected a bulk endpoint.) The kernel
needs to be able to handle such devices without getting an internal error.
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 u ...
Show More |
|||||
| CVE-2022-50298 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
slimbus: qcom-ngd: cleanup in probe error path
Add proper error path in probe() to cleanup resources previously
acquired/allocated to fix warnings visible during probe deferral:
notifier callback qcom_slim_ngd_ssr_notify already registered
WARNING: CPU: 6 PID: 70 at kernel/notifier.c:28 notifier_chain_register+0x5c/0x90
Modules linked in:
CPU: 6 PID: 70 Comm: kworker/u16:1 Not tainted 6.0.0-rc3-next-20220830 #380
Ca ...
Show More |
|||||
| CVE-2022-50299 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
md: Replace snprintf with scnprintf
Current code produces a warning as shown below when total characters
in the constituent block device names plus the slashes exceeds 200.
snprintf() returns the number of characters generated from the given
input, which could cause the expression “200 – len” to wrap around
to a large positive number. Fix this by using scnprintf() instead,
which returns the actual number of characters written ...
Show More |
|||||
| CVE-2022-50300 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
btrfs: fix extent map use-after-free when handling missing device in read_one_chunk
Store the error code before freeing the extent_map. Though it's
reference counted structure, in that function it's the first and last
allocation so this would lead to a potential use-after-free.
The error can happen eg. when chunk is stored on a missing device and
the degraded mount option is missing.
Bugzilla: https://bugzilla.kernel.org/sho ...
Show More |
|||||
| CVE-2022-50301 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
iommu/omap: Fix buffer overflow in debugfs
There are two issues here:
1) The "len" variable needs to be checked before the very first write.
Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a
buffer overflow.
2) The snprintf() function returns the number of bytes that *would* have
been copied if there were enough space. But we want to know the
number of bytes which were *actually* copied so use ...
Show More |
|||||
| CVE-2022-50302 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
lockd: set other missing fields when unlocking files
vfs_lock_file() expects the struct file_lock to be fully initialised by
the caller. Re-exported NFSv3 has been seen to Oops if the fl_file field
is NULL.
|
|||||
| CVE-2022-50303 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/amdkfd: Fix double release compute pasid
If kfd_process_device_init_vm returns failure after vm is converted to
compute vm and vm->pasid set to compute pasid, KFD will not take
pdd->drm_file reference. As a result, drm close file handler maybe
called to release the compute pasid before KFD process destroy worker to
release the same pasid and set vm->pasid to zero, this generates below
WARNING backtrace and NULL pointer acc ...
Show More |
|||||
| CVE-2022-50304 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
mtd: core: fix possible resource leak in init_mtd()
I got the error report while inject fault in init_mtd():
sysfs: cannot create duplicate filename '/devices/virtual/bdi/mtd-0'
Call Trace:
<TASK>
dump_stack_lvl+0x67/0x83
sysfs_warn_dup+0x60/0x70
sysfs_create_dir_ns+0x109/0x120
kobject_add_internal+0xce/0x2f0
kobject_add+0x98/0x110
device_add+0x179/0xc00
device_create_groups_vargs+0xf4/0x100
device_create+0x7b/0xb0
...
Show More |
|||||
| CVE-2022-50305 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ASoC: sof_es8336: fix possible use-after-free in sof_es8336_remove()
sof_es8336_remove() calls cancel_delayed_work(). However, that
function does not wait until the work function finishes. This
means that the callback function may still be running after
the driver's remove function has finished, which would result
in a use-after-free.
Fix by calling cancel_delayed_work_sync(), which ensures that
the work is properly cancelled ...
Show More |
|||||
| CVE-2022-50306 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 7.1 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ext4: fix potential out of bound read in ext4_fc_replay_scan()
For scan loop must ensure that at least EXT4_FC_TAG_BASE_LEN space. If remain
space less than EXT4_FC_TAG_BASE_LEN which will lead to out of bound read
when mounting corrupt file system image.
ADD_RANGE/HEAD/TAIL is needed to add extra check when do journal scan, as this
three tags will read data during scan, tag length couldn't less than data length
which will rea ...
Show More |
|||||
| CVE-2022-50307 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 7.1 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
s390/cio: fix out-of-bounds access on cio_ignore free
The channel-subsystem-driver scans for newly available devices whenever
device-IDs are removed from the cio_ignore list using a command such as:
echo free >/proc/cio_ignore
Since an I/O device scan might interfer with running I/Os, commit
172da89ed0ea ("s390/cio: avoid excessive path-verification requests")
introduced an optimization to exclude online devices from the s ...
Show More |
|||||
| CVE-2022-50308 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
ASoC: qcom: Add checks for devm_kcalloc
As the devm_kcalloc may return NULL, the return value needs to be checked
to avoid NULL poineter dereference.
|
|||||
| CVE-2022-50309 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init
of_get_child_by_name() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.
|
|||||
| CVE-2022-50310 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ip6mr: fix UAF issue in ip6mr_sk_done() when addrconf_init_net() failed
If the initialization fails in calling addrconf_init_net(), devconf_all is
the pointer that has been released. Then ip6mr_sk_done() is called to
release the net, accessing devconf->mc_forwarding directly causes invalid
pointer access.
The process is as follows:
setup_net()
ops_init()
addrconf_init_net()
all = kmemdup(...) ---> alloc "all"
...
Show More |
|||||
| CVE-2022-50311 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
cxl: Fix refcount leak in cxl_calc_capp_routing
of_get_next_parent() returns a node pointer with refcount incremented,
we should use of_node_put() on it when not need anymore.
This function only calls of_node_put() in normal path,
missing it in the error path.
Add missing of_node_put() to avoid refcount leak.
|
|||||
| CVE-2022-50312 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
drivers: serial: jsm: fix some leaks in probe
This error path needs to unwind instead of just returning directly.
|
|||||
| CVE-2022-50313 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
erofs: fix order >= MAX_ORDER warning due to crafted negative i_size
As syzbot reported [1], the root cause is that i_size field is a
signed type, and negative i_size is also less than EROFS_BLKSIZ.
As a consequence, it's handled as fast symlink unexpectedly.
Let's fall back to the generic path to deal with such unusual i_size.
[1] https://lore.kernel.org/r/[email protected]
|
|||||
| CVE-2022-50314 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
nbd: Fix hung when signal interrupts nbd_start_device_ioctl()
syzbot reported hung task [1]. The following program is a simplified
version of the reproducer:
int main(void)
{
int sv[2], fd;
if (socketpair(AF_UNIX, SOCK_STREAM, 0, sv) < 0)
return 1;
if ((fd = open("/dev/nbd0", 0)) < 0)
return 1;
if (ioctl(fd, NBD_SET_SIZE_BLOCKS, 0x81) < 0)
return 1;
if (ioctl(fd, NBD_SET_SOCK, sv[0]) < 0)
return 1;
if (ioctl(f ...
Show More |
|||||
| CVE-2022-50315 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ata: ahci: Match EM_MAX_SLOTS with SATA_PMP_MAX_PORTS
UBSAN complains about array-index-out-of-bounds:
[ 1.980703] kernel: UBSAN: array-index-out-of-bounds in /build/linux-9H675w/linux-5.15.0/drivers/ata/libahci.c:968:41
[ 1.980709] kernel: index 15 is out of range for type 'ahci_em_priv [8]'
[ 1.980713] kernel: CPU: 0 PID: 209 Comm: scsi_eh_8 Not tainted 5.15.0-25-generic #25-Ubuntu
[ 1.980716] kernel: Hardware name: System m ...
Show More |
|||||
| CVE-2022-50317 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
drm/bridge: megachips: Fix a null pointer dereference bug
When removing the module we will get the following warning:
[ 31.911505] i2c-core: driver [stdp2690-ge-b850v3-fw] unregistered
[ 31.912484] general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
[ 31.913338] KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
[ 31.915280] RIP: 0010:drm ...
Show More |
|||||
| CVE-2022-50318 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox()
pci_get_device() will increase the reference count for the returned
'dev'. We need to call pci_dev_put() to decrease the reference count.
Since 'dev' is only used in pci_read_config_dword(), let's add
pci_dev_put() right after it.
|
|||||
| CVE-2022-50319 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
coresight: trbe: remove cpuhp instance node before remove cpuhp state
cpuhp_state_add_instance() and cpuhp_state_remove_instance() should
be used in pairs. Or there will lead to the warn on
cpuhp_remove_multi_state() since the cpuhp_step list is not empty.
The following is the error log with 'rmmod coresight-trbe':
Error: Removing state 215 which has instances left.
Call trace:
__cpuhp_remove_state_cpuslocked+0x144/0x160
...
Show More |
|||||
| CVE-2022-50320 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
ACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys address
On a Packard Bell Dot SC (Intel Atom N2600 model) there is a FPDT table
which contains invalid physical addresses, with high bits set which fall
outside the range of the CPU-s supported physical address range.
Calling acpi_os_map_memory() on such an invalid phys address leads to
the below WARN_ON in ioremap triggering resulting in an oops/stacktrace.
...
Show More |
|||||
| CVE-2022-50322 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
rtc: msc313: Fix function prototype mismatch in msc313_rtc_probe()
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed.
msc313_rtc_prob ...
Show More |
|||||
| CVE-2022-50323 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
net: do not sense pfmemalloc status in skb_append_pagefrags()
skb_append_pagefrags() is used by af_unix and udp sendpage()
implementation so far.
In commit 326140063946 ("tcp: TX zerocopy should not sense
pfmemalloc status") we explained why we should not sense
pfmemalloc status for pages owned by user space.
We should also use skb_fill_page_desc_noacc()
in skb_append_pagefrags() to avoid following KCSAN report:
BUG: KCSAN: ...
Show More |
|||||
| CVE-2023-53200 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
netfilter: x_tables: fix percpu counter block leak on error path when creating new netns
Here is the stack where we allocate percpu counter block:
+-< __alloc_percpu
+-< xt_percpu_counter_alloc
+-< find_check_entry # {arp,ip,ip6}_tables.c
+-< translate_table
And it can be leaked on this code path:
+-> ip6t_register_table
+-> translate_table # allocates percpu counter block
+-> xt_register_table ...
Show More |
|||||
| CVE-2023-53201 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
RDMA/bnxt_re: wraparound mbox producer index
Driver is not handling the wraparound of the mbox producer index correctly.
Currently the wraparound happens once u32 max is reached.
Bit 31 of the producer index register is special and should be set
only once for the first command. Because the producer index overflow
setting bit31 after a long time, FW goes to initialization sequence
and this causes FW hang.
Fix is to wraparound ...
Show More |
|||||
| CVE-2023-53203 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
wifi: mt76: mt7996: rely on mt76_connac2_mac_tx_rate_val
In order to fix a possible NULL pointer dereference in
mt7996_mac_write_txwi() of vif pointer, export
mt76_connac2_mac_tx_rate_val utility routine and reuse it
in mt7996 driver.
|
|||||
| CVE-2023-53204 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 4.7 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
af_unix: Fix data-races around user->unix_inflight.
user->unix_inflight is changed under spin_lock(unix_gc_lock),
but too_many_unix_fds() reads it locklessly.
Let's annotate the write/read accesses to user->unix_inflight.
BUG: KCSAN: data-race in unix_attach_fds / unix_inflight
write to 0xffffffff8546f2d0 of 8 bytes by task 44798 on cpu 1:
unix_inflight+0x157/0x180 net/unix/scm.c:66
unix_attach_fds+0x147/0x1e0 net/unix/sc ...
Show More |
|||||
| CVE-2023-53205 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 7.8 HIGH |
|
In the Linux kernel, the following vulnerability has been resolved:
KVM: s390/diag: fix racy access of physical cpu number in diag 9c handler
We do check for target CPU == -1, but this might change at the time we
are going to use it. Hold the physical target CPU in a local variable to
avoid out-of-bound accesses to the cpu arrays.
|
|||||
| CVE-2023-53206 | 1 Linux | 1 Linux Kernel | 2025-12-04 | N/A | 5.5 MEDIUM |
|
In the Linux kernel, the following vulnerability has been resolved:
hwmon: (pmbus_core) Fix NULL pointer dereference
Pass i2c_client to _pmbus_is_enabled to drop the assumption
that a regulator device is passed in.
This will fix the issue of a NULL pointer dereference when called from
_pmbus_get_flags.
|
|||||