Vulnerability-Lookup

CERTFR-2025-AVI-0920

Vulnerability from certfr_avis - Published: 2025-10-24 - Updated: 2025-10-24

De multiples vulnérabilités ont été découvertes dans les produits Microsoft. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Microsoft	N/A	cbl2 mysql 8.0.43-1
Microsoft	N/A	azl3 unbound 1.19.1-4
Microsoft	N/A	azl3 mysql versions antérieures à 8.0.44-1
Microsoft	N/A	cbl2 kernel 5.15.186.1-1
Microsoft	N/A	azl3 lz4 1.9.4-1
Microsoft	N/A	azl3 squid versions antérieures à 6.13-3

References

Title

Publication Time

CVE-2022-49267 (GCVE-0-2022-49267)

Vulnerability from cvelistv5 – Published: 2025-02-26 01:56 – Updated: 2026-03-24 08:34

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2026-03-24T08:34:49.555Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ],
      "x_generator": {
        "engine": "cvelib 1.8.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49267",
    "datePublished": "2025-02-26T01:56:16.211Z",
    "dateRejected": "2026-03-24T08:34:49.555Z",
    "dateReserved": "2025-02-26T01:49:39.297Z",
    "dateUpdated": "2026-03-24T08:34:49.555Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49306 (GCVE-0-2022-49306)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:10 – Updated: 2026-05-11 18:57

Title

usb: dwc3: host: Stop setting the ACPI companion

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: host: Stop setting the ACPI companion It is no longer needed. The sysdev pointer is now used when assigning the ACPI companions to the xHCI ports and USB devices. Assigning the ACPI companion here resulted in the fwnode->secondary pointer to be replaced also for the parent dwc3 device since the primary fwnode (the ACPI companion) was shared. That was unintentional and it created potential side effects like resource leaks.

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/d7f35934f7ab67bfd…
https://git.kernel.org/stable/c/9c185fde906a48368…
https://git.kernel.org/stable/c/7fd069d65da2e20b1…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 11c39809070fc0eb3aacb0d9ee71cd3678144f66 , < d7f35934f7ab67bfd9adabc84207e59da9c19108 (git) Affected: 11c39809070fc0eb3aacb0d9ee71cd3678144f66 , < 9c185fde906a48368bd2d2a8c17d4b6fb3d670af (git) Affected: 11c39809070fc0eb3aacb0d9ee71cd3678144f66 , < 7fd069d65da2e20b1caec3b7bcf9dfbe28c04bb2 (git)
Linux	Linux	Affected: 5.7 Unaffected: 0 , < 5.7 (semver) Unaffected: 5.17.15 , ≤ 5.17.* (semver) Unaffected: 5.18.4 , ≤ 5.18.* (semver) Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/dwc3/host.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d7f35934f7ab67bfd9adabc84207e59da9c19108",
              "status": "affected",
              "version": "11c39809070fc0eb3aacb0d9ee71cd3678144f66",
              "versionType": "git"
            },
            {
              "lessThan": "9c185fde906a48368bd2d2a8c17d4b6fb3d670af",
              "status": "affected",
              "version": "11c39809070fc0eb3aacb0d9ee71cd3678144f66",
              "versionType": "git"
            },
            {
              "lessThan": "7fd069d65da2e20b1caec3b7bcf9dfbe28c04bb2",
              "status": "affected",
              "version": "11c39809070fc0eb3aacb0d9ee71cd3678144f66",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/dwc3/host.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.15",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.4",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: dwc3: host: Stop setting the ACPI companion\n\nIt is no longer needed. The sysdev pointer is now used when\nassigning the ACPI companions to the xHCI ports and USB\ndevices.\n\nAssigning the ACPI companion here resulted in the\nfwnode-\u003esecondary pointer to be replaced also for the parent\ndwc3 device since the primary fwnode (the ACPI companion)\nwas shared. That was unintentional and it created potential\nside effects like resource leaks."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T18:57:08.251Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d7f35934f7ab67bfd9adabc84207e59da9c19108"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c185fde906a48368bd2d2a8c17d4b6fb3d670af"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fd069d65da2e20b1caec3b7bcf9dfbe28c04bb2"
        }
      ],
      "title": "usb: dwc3: host: Stop setting the ACPI companion",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49306",
    "datePublished": "2025-02-26T02:10:38.680Z",
    "dateReserved": "2025-02-26T02:08:31.535Z",
    "dateUpdated": "2026-05-11T18:57:08.251Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49333 (GCVE-0-2022-49333)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:10 – Updated: 2026-05-23 15:21

Title

net/mlx5: E-Switch, pair only capable devices

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: E-Switch, pair only capable devices OFFLOADS paring using devcom is possible only on devices that support LAG. Filter based on lag capabilities. This fixes an issue where mlx5_get_next_phys_dev() was called without holding the interface lock. This issue was found when commit bc4c2f2e0179 ("net/mlx5: Lag, filter non compatible devices") added an assert that verifies the interface lock is held. WARNING: CPU: 9 PID: 1706 at drivers/net/ethernet/mellanox/mlx5/core/dev.c:642 mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core] Modules linked in: mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm ib_uverbs ib_core overlay fuse [last unloaded: mlx5_core] CPU: 9 PID: 1706 Comm: devlink Not tainted 5.18.0-rc7+ #11 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core] Code: 02 00 75 48 48 8b 85 80 04 00 00 5d c3 31 c0 5d c3 be ff ff ff ff 48 c7 c7 08 41 5b a0 e8 36 87 28 e3 85 c0 0f 85 6f ff ff ff <0f> 0b e9 68 ff ff ff 48 c7 c7 0c 91 cc 84 e8 cb 36 6f e1 e9 4d ff RSP: 0018:ffff88811bf47458 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff88811b398000 RCX: 0000000000000001 RDX: 0000000080000000 RSI: ffffffffa05b4108 RDI: ffff88812daaaa78 RBP: ffff88812d050380 R08: 0000000000000001 R09: ffff88811d6b3437 R10: 0000000000000001 R11: 00000000fddd3581 R12: ffff88815238c000 R13: ffff88812d050380 R14: ffff8881018aa7e0 R15: ffff88811d6b3428 FS: 00007fc82e18ae80(0000) GS:ffff88842e080000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f9630d1b421 CR3: 0000000149802004 CR4: 0000000000370ea0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> mlx5_esw_offloads_devcom_event+0x99/0x3b0 [mlx5_core] mlx5_devcom_send_event+0x167/0x1d0 [mlx5_core] esw_offloads_enable+0x1153/0x1500 [mlx5_core] ? mlx5_esw_offloads_controller_valid+0x170/0x170 [mlx5_core] ? wait_for_completion_io_timeout+0x20/0x20 ? mlx5_rescan_drivers_locked+0x318/0x810 [mlx5_core] mlx5_eswitch_enable_locked+0x586/0xc50 [mlx5_core] ? mlx5_eswitch_disable_pf_vf_vports+0x1d0/0x1d0 [mlx5_core] ? mlx5_esw_try_lock+0x1b/0xb0 [mlx5_core] ? mlx5_eswitch_enable+0x270/0x270 [mlx5_core] ? __debugfs_create_file+0x260/0x3e0 mlx5_devlink_eswitch_mode_set+0x27e/0x870 [mlx5_core] ? mutex_lock_io_nested+0x12c0/0x12c0 ? esw_offloads_disable+0x250/0x250 [mlx5_core] ? devlink_nl_cmd_trap_get_dumpit+0x470/0x470 ? rcu_read_lock_sched_held+0x3f/0x70 devlink_nl_cmd_eswitch_set_doit+0x217/0x620

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/0cef0b7eb044bb8cf…
https://git.kernel.org/stable/c/cdbcdddb8076a09aa…
https://git.kernel.org/stable/c/3008e6a0049361e73…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: dd3fddb82780bfa24124834edd90bbc63bd689cc , < 0cef0b7eb044bb8cfdaff4c1db55a8fd442f6bc9 (git) Affected: dd3fddb82780bfa24124834edd90bbc63bd689cc , < cdbcdddb8076a09aa6ddaf20fd911fc787dca0e5 (git) Affected: dd3fddb82780bfa24124834edd90bbc63bd689cc , < 3008e6a0049361e731b803c60fe8f3ab44e1d73f (git) Affected: 4d253ea99fbac316cbe4bafaf36087b592c2cd49 (git) Affected: 5.13.8 , < 5.14 (semver)
Linux	Linux	Affected: 5.14 Unaffected: 0 , < 5.14 (semver) Unaffected: 5.17.15 , ≤ 5.17.* (semver) Unaffected: 5.18.4 , ≤ 5.18.* (semver) Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/dev.c",
            "drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c",
            "drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h",
            "drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0cef0b7eb044bb8cfdaff4c1db55a8fd442f6bc9",
              "status": "affected",
              "version": "dd3fddb82780bfa24124834edd90bbc63bd689cc",
              "versionType": "git"
            },
            {
              "lessThan": "cdbcdddb8076a09aa6ddaf20fd911fc787dca0e5",
              "status": "affected",
              "version": "dd3fddb82780bfa24124834edd90bbc63bd689cc",
              "versionType": "git"
            },
            {
              "lessThan": "3008e6a0049361e731b803c60fe8f3ab44e1d73f",
              "status": "affected",
              "version": "dd3fddb82780bfa24124834edd90bbc63bd689cc",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "4d253ea99fbac316cbe4bafaf36087b592c2cd49",
              "versionType": "git"
            },
            {
              "lessThan": "5.14",
              "status": "affected",
              "version": "5.13.8",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/dev.c",
            "drivers/net/ethernet/mellanox/mlx5/core/eswitch_offloads.c",
            "drivers/net/ethernet/mellanox/mlx5/core/lag/lag.h",
            "drivers/net/ethernet/mellanox/mlx5/core/mlx5_core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.15",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.15",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.4",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.13.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: E-Switch, pair only capable devices\n\nOFFLOADS paring using devcom is possible only on devices\nthat support LAG. Filter based on lag capabilities.\n\nThis fixes an issue where mlx5_get_next_phys_dev() was\ncalled without holding the interface lock.\n\nThis issue was found when commit\nbc4c2f2e0179 (\"net/mlx5: Lag, filter non compatible devices\")\nadded an assert that verifies the interface lock is held.\n\nWARNING: CPU: 9 PID: 1706 at drivers/net/ethernet/mellanox/mlx5/core/dev.c:642 mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]\nModules linked in: mlx5_vdpa vringh vhost_iotlb vdpa mlx5_ib mlx5_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcrdma rdma_ucm ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_umad ib_ipoib ib_cm ib_uverbs ib_core overlay fuse [last unloaded: mlx5_core]\nCPU: 9 PID: 1706 Comm: devlink Not tainted 5.18.0-rc7+ #11\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\nRIP: 0010:mlx5_get_next_phys_dev+0xd2/0x100 [mlx5_core]\nCode: 02 00 75 48 48 8b 85 80 04 00 00 5d c3 31 c0 5d c3 be ff ff ff ff 48 c7 c7 08 41 5b a0 e8 36 87 28 e3 85 c0 0f 85 6f ff ff ff \u003c0f\u003e 0b e9 68 ff ff ff 48 c7 c7 0c 91 cc 84 e8 cb 36 6f e1 e9 4d ff\nRSP: 0018:ffff88811bf47458 EFLAGS: 00010246\nRAX: 0000000000000000 RBX: ffff88811b398000 RCX: 0000000000000001\nRDX: 0000000080000000 RSI: ffffffffa05b4108 RDI: ffff88812daaaa78\nRBP: ffff88812d050380 R08: 0000000000000001 R09: ffff88811d6b3437\nR10: 0000000000000001 R11: 00000000fddd3581 R12: ffff88815238c000\nR13: ffff88812d050380 R14: ffff8881018aa7e0 R15: ffff88811d6b3428\nFS:  00007fc82e18ae80(0000) GS:ffff88842e080000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f9630d1b421 CR3: 0000000149802004 CR4: 0000000000370ea0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n mlx5_esw_offloads_devcom_event+0x99/0x3b0 [mlx5_core]\n mlx5_devcom_send_event+0x167/0x1d0 [mlx5_core]\n esw_offloads_enable+0x1153/0x1500 [mlx5_core]\n ? mlx5_esw_offloads_controller_valid+0x170/0x170 [mlx5_core]\n ? wait_for_completion_io_timeout+0x20/0x20\n ? mlx5_rescan_drivers_locked+0x318/0x810 [mlx5_core]\n mlx5_eswitch_enable_locked+0x586/0xc50 [mlx5_core]\n ? mlx5_eswitch_disable_pf_vf_vports+0x1d0/0x1d0 [mlx5_core]\n ? mlx5_esw_try_lock+0x1b/0xb0 [mlx5_core]\n ? mlx5_eswitch_enable+0x270/0x270 [mlx5_core]\n ? __debugfs_create_file+0x260/0x3e0\n mlx5_devlink_eswitch_mode_set+0x27e/0x870 [mlx5_core]\n ? mutex_lock_io_nested+0x12c0/0x12c0\n ? esw_offloads_disable+0x250/0x250 [mlx5_core]\n ? devlink_nl_cmd_trap_get_dumpit+0x470/0x470\n ? rcu_read_lock_sched_held+0x3f/0x70\n devlink_nl_cmd_eswitch_set_doit+0x217/0x620"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:21:54.522Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0cef0b7eb044bb8cfdaff4c1db55a8fd442f6bc9"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdbcdddb8076a09aa6ddaf20fd911fc787dca0e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/3008e6a0049361e731b803c60fe8f3ab44e1d73f"
        }
      ],
      "title": "net/mlx5: E-Switch, pair only capable devices",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49333",
    "datePublished": "2025-02-26T02:10:52.081Z",
    "dateReserved": "2025-02-26T02:08:31.539Z",
    "dateUpdated": "2026-05-23T15:21:54.522Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49420 (GCVE-0-2022-49420)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:12 – Updated: 2026-05-23 15:22

Title

net: annotate races around sk->sk_bound_dev_if

Summary

In the Linux kernel, the following vulnerability has been resolved: net: annotate races around sk->sk_bound_dev_if UDP sendmsg() is lockless, and reads sk->sk_bound_dev_if while this field can be changed by another thread. Adds minimal annotations to avoid KCSAN splats for UDP. Following patches will add more annotations to potential lockless readers. BUG: KCSAN: data-race in __ip6_datagram_connect / udpv6_sendmsg write to 0xffff888136d47a94 of 4 bytes by task 7681 on cpu 0: __ip6_datagram_connect+0x6e2/0x930 net/ipv6/datagram.c:221 ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272 inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576 __sys_connect_file net/socket.c:1900 [inline] __sys_connect+0x197/0x1b0 net/socket.c:1917 __do_sys_connect net/socket.c:1927 [inline] __se_sys_connect net/socket.c:1924 [inline] __x64_sys_connect+0x3d/0x50 net/socket.c:1924 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff888136d47a94 of 4 bytes by task 7670 on cpu 1: udpv6_sendmsg+0xc60/0x16e0 net/ipv6/udp.c:1436 inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:652 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg net/socket.c:725 [inline] ____sys_sendmsg+0x39a/0x510 net/socket.c:2413 ___sys_sendmsg net/socket.c:2467 [inline] __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553 __do_sys_sendmmsg net/socket.c:2582 [inline] __se_sys_sendmmsg net/socket.c:2579 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x00000000 -> 0xffffff9b Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 7670 Comm: syz-executor.3 Tainted: G W 5.18.0-rc1-syzkaller-dirty #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 I chose to not add Fixes: tag because race has minor consequences and stable teams busy enough.

Severity

No CVSS data available.

Assigner

Linux

References

2 references

URL	Tags
https://git.kernel.org/stable/c/20b2f61797873a2b1…
https://git.kernel.org/stable/c/4c971d2f3548e4f11…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 20b2f61797873a2b18b5ff1a304ad2674fa1e0a5 (git) Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4c971d2f3548e4f11b1460ac048f5307e4b39fdb (git) Affected: 0 , < 5.18.3 (semver)
Linux	Linux	Unaffected: 5.18.3 , ≤ 5.18.* (semver) Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/ip.h",
            "include/net/sock.h",
            "net/ipv6/datagram.c",
            "net/ipv6/udp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "20b2f61797873a2b18b5ff1a304ad2674fa1e0a5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4c971d2f3548e4f11b1460ac048f5307e4b39fdb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5.18.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/ip.h",
            "include/net/sock.h",
            "net/ipv6/datagram.c",
            "net/ipv6/udp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: annotate races around sk-\u003esk_bound_dev_if\n\nUDP sendmsg() is lockless, and reads sk-\u003esk_bound_dev_if while\nthis field can be changed by another thread.\n\nAdds minimal annotations to avoid KCSAN splats for UDP.\nFollowing patches will add more annotations to potential lockless readers.\n\nBUG: KCSAN: data-race in __ip6_datagram_connect / udpv6_sendmsg\n\nwrite to 0xffff888136d47a94 of 4 bytes by task 7681 on cpu 0:\n __ip6_datagram_connect+0x6e2/0x930 net/ipv6/datagram.c:221\n ip6_datagram_connect+0x2a/0x40 net/ipv6/datagram.c:272\n inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576\n __sys_connect_file net/socket.c:1900 [inline]\n __sys_connect+0x197/0x1b0 net/socket.c:1917\n __do_sys_connect net/socket.c:1927 [inline]\n __se_sys_connect net/socket.c:1924 [inline]\n __x64_sys_connect+0x3d/0x50 net/socket.c:1924\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nread to 0xffff888136d47a94 of 4 bytes by task 7670 on cpu 1:\n udpv6_sendmsg+0xc60/0x16e0 net/ipv6/udp.c:1436\n inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:652\n sock_sendmsg_nosec net/socket.c:705 [inline]\n sock_sendmsg net/socket.c:725 [inline]\n ____sys_sendmsg+0x39a/0x510 net/socket.c:2413\n ___sys_sendmsg net/socket.c:2467 [inline]\n __sys_sendmmsg+0x267/0x4c0 net/socket.c:2553\n __do_sys_sendmmsg net/socket.c:2582 [inline]\n __se_sys_sendmmsg net/socket.c:2579 [inline]\n __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2579\n do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n do_syscall_64+0x2b/0x50 arch/x86/entry/common.c:80\n entry_SYSCALL_64_after_hwframe+0x44/0xae\n\nvalue changed: 0x00000000 -\u003e 0xffffff9b\n\nReported by Kernel Concurrency Sanitizer on:\nCPU: 1 PID: 7670 Comm: syz-executor.3 Tainted: G        W         5.18.0-rc1-syzkaller-dirty #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011\n\nI chose to not add Fixes: tag because race has minor consequences\nand stable teams busy enough."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:22:12.638Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/20b2f61797873a2b18b5ff1a304ad2674fa1e0a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c971d2f3548e4f11b1460ac048f5307e4b39fdb"
        }
      ],
      "title": "net: annotate races around sk-\u003esk_bound_dev_if",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49420",
    "datePublished": "2025-02-26T02:12:44.316Z",
    "dateReserved": "2025-02-26T02:08:31.568Z",
    "dateUpdated": "2026-05-23T15:22:12.638Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49469 (GCVE-0-2022-49469)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:13 – Updated: 2026-05-23 15:22

Title

btrfs: fix anon_dev leak in create_subvol()

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix anon_dev leak in create_subvol() When btrfs_qgroup_inherit(), btrfs_alloc_tree_block, or btrfs_insert_root() fail in create_subvol(), we return without freeing anon_dev. Reorganize the error handling in create_subvol() to fix this.

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/d887b3de318834f9a…
https://git.kernel.org/stable/c/7a875ad8706f0903a…
https://git.kernel.org/stable/c/2256e901f5bddc56e…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 , < d887b3de318834f9aa637ecf79c6bc66cba7c69a (git) Affected: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 , < 7a875ad8706f0903a0e812e0dd701956ee9826ff (git) Affected: 2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788 , < 2256e901f5bddc56e24089c96f27b77da932dfcc (git) Affected: 917d608fe375041eb7f29befa6a6d7fd3cf32dde (git) Affected: 5.8.3 , < 5.9 (semver)
Linux	Linux	Affected: 5.9 Unaffected: 0 , < 5.9 (semver) Unaffected: 5.17.14 , ≤ 5.17.* (semver) Unaffected: 5.18.3 , ≤ 5.18.* (semver) Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d887b3de318834f9aa637ecf79c6bc66cba7c69a",
              "status": "affected",
              "version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788",
              "versionType": "git"
            },
            {
              "lessThan": "7a875ad8706f0903a0e812e0dd701956ee9826ff",
              "status": "affected",
              "version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788",
              "versionType": "git"
            },
            {
              "lessThan": "2256e901f5bddc56e24089c96f27b77da932dfcc",
              "status": "affected",
              "version": "2dfb1e43f57dd3aeaa66f7cf05d068db2d4c8788",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "917d608fe375041eb7f29befa6a6d7fd3cf32dde",
              "versionType": "git"
            },
            {
              "lessThan": "5.9",
              "status": "affected",
              "version": "5.8.3",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/ioctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.14",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.3",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.8.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix anon_dev leak in create_subvol()\n\nWhen btrfs_qgroup_inherit(), btrfs_alloc_tree_block, or\nbtrfs_insert_root() fail in create_subvol(), we return without freeing\nanon_dev. Reorganize the error handling in create_subvol() to fix this."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:22:19.905Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d887b3de318834f9aa637ecf79c6bc66cba7c69a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a875ad8706f0903a0e812e0dd701956ee9826ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/2256e901f5bddc56e24089c96f27b77da932dfcc"
        }
      ],
      "title": "btrfs: fix anon_dev leak in create_subvol()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49469",
    "datePublished": "2025-02-26T02:13:13.387Z",
    "dateReserved": "2025-02-26T02:08:31.578Z",
    "dateUpdated": "2026-05-23T15:22:19.905Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49504 (GCVE-0-2022-49504)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:13 – Updated: 2026-05-11 19:01

Title

scsi: lpfc: Inhibit aborts if external loopback plug is inserted

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Inhibit aborts if external loopback plug is inserted After running a short external loopback test, when the external loopback is removed and a normal cable inserted that is directly connected to a target device, the system oops in the llpfc_set_rrq_active() routine. When the loopback was inserted an FLOGI was transmit. As we're looped back, we receive the FLOGI request. The FLOGI is ABTS'd as we recognize the same wppn thus understand it's a loopback. However, as the ABTS sends address information the port is not set to (fffffe), the ABTS is dropped on the wire. A short 1 frame loopback test is run and completes before the ABTS times out. The looback is unplugged and the new cable plugged in, and the an FLOGI to the new device occurs and completes. Due to a mixup in ref counting the completion of the new FLOGI releases the fabric ndlp. Then the original ABTS completes and references the released ndlp generating the oops. Correct by no-op'ing the ABTS when in loopback mode (it will be dropped anyway). Added a flag to track the mode to recognize when it should be no-op'd.

Severity

No CVSS data available.

Assigner

Linux

References

2 references

URL	Tags
https://git.kernel.org/stable/c/a1516930cb605caee…
https://git.kernel.org/stable/c/ead76d4c09b89f4c8…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 1b51197d0fd0c06877c6df1bba84ac4008a7fc60 , < a1516930cb605caee3bc7b4f3b7994b88c0b8505 (git) Affected: 1b51197d0fd0c06877c6df1bba84ac4008a7fc60 , < ead76d4c09b89f4c8d632648026a476a5a34fde8 (git)
Linux	Linux	Affected: 3.3 Unaffected: 0 , < 3.3 (semver) Unaffected: 5.18.3 , ≤ 5.18.* (semver) Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc.h",
            "drivers/scsi/lpfc/lpfc_els.c",
            "drivers/scsi/lpfc/lpfc_hbadisc.c",
            "drivers/scsi/lpfc/lpfc_sli.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a1516930cb605caee3bc7b4f3b7994b88c0b8505",
              "status": "affected",
              "version": "1b51197d0fd0c06877c6df1bba84ac4008a7fc60",
              "versionType": "git"
            },
            {
              "lessThan": "ead76d4c09b89f4c8d632648026a476a5a34fde8",
              "status": "affected",
              "version": "1b51197d0fd0c06877c6df1bba84ac4008a7fc60",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/lpfc/lpfc.h",
            "drivers/scsi/lpfc/lpfc_els.c",
            "drivers/scsi/lpfc/lpfc_hbadisc.c",
            "drivers/scsi/lpfc/lpfc_sli.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.3"
            },
            {
              "lessThan": "3.3",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.3",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "3.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: lpfc: Inhibit aborts if external loopback plug is inserted\n\nAfter running a short external loopback test, when the external loopback is\nremoved and a normal cable inserted that is directly connected to a target\ndevice, the system oops in the llpfc_set_rrq_active() routine.\n\nWhen the loopback was inserted an FLOGI was transmit. As we\u0027re looped back,\nwe receive the FLOGI request. The FLOGI is ABTS\u0027d as we recognize the same\nwppn thus understand it\u0027s a loopback. However, as the ABTS sends address\ninformation the port is not set to (fffffe), the ABTS is dropped on the\nwire. A short 1 frame loopback test is run and completes before the ABTS\ntimes out. The looback is unplugged and the new cable plugged in, and the\nan FLOGI to the new device occurs and completes. Due to a mixup in ref\ncounting the completion of the new FLOGI releases the fabric ndlp. Then the\noriginal ABTS completes and references the released ndlp generating the\noops.\n\nCorrect by no-op\u0027ing the ABTS when in loopback mode (it will be dropped\nanyway). Added a flag to track the mode to recognize when it should be\nno-op\u0027d."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T19:01:11.695Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a1516930cb605caee3bc7b4f3b7994b88c0b8505"
        },
        {
          "url": "https://git.kernel.org/stable/c/ead76d4c09b89f4c8d632648026a476a5a34fde8"
        }
      ],
      "title": "scsi: lpfc: Inhibit aborts if external loopback plug is inserted",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49504",
    "datePublished": "2025-02-26T02:13:36.829Z",
    "dateReserved": "2025-02-26T02:08:31.586Z",
    "dateUpdated": "2026-05-11T19:01:11.695Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49552 (GCVE-0-2022-49552)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:14 – Updated: 2026-05-11 19:02

Title

bpf: Fix combination of jit blinding and pointers to bpf subprogs.

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix combination of jit blinding and pointers to bpf subprogs. The combination of jit blinding and pointers to bpf subprogs causes: [ 36.989548] BUG: unable to handle page fault for address: 0000000100000001 [ 36.990342] #PF: supervisor instruction fetch in kernel mode [ 36.990968] #PF: error_code(0x0010) - not-present page [ 36.994859] RIP: 0010:0x100000001 [ 36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7. [ 37.004091] Call Trace: [ 37.004351] <TASK> [ 37.004576] ? bpf_loop+0x4d/0x70 [ 37.004932] ? bpf_prog_3899083f75e4c5de_F+0xe3/0x13b The jit blinding logic didn't recognize that ld_imm64 with an address of bpf subprogram is a special instruction and proceeded to randomize it. By itself it wouldn't have been an issue, but jit_subprogs() logic relies on two step process to JIT all subprogs and then JIT them again when addresses of all subprogs are known. Blinding process in the first JIT phase caused second JIT to miss adjustment of special ld_imm64. Fix this issue by ignoring special ld_imm64 instructions that don't have user controlled constants and shouldn't be blinded.

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/a029b02b47dd5bb87…
https://git.kernel.org/stable/c/d106a3e96fca30e44…
https://git.kernel.org/stable/c/4b6313cf99b0d51b4…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: 69c087ba6225b574afb6e505b72cb75242a3d844 , < a029b02b47dd5bb87a21550d9d9a80cb4dd3f714 (git) Affected: 69c087ba6225b574afb6e505b72cb75242a3d844 , < d106a3e96fca30e44081eae9c27aab28fc132a46 (git) Affected: 69c087ba6225b574afb6e505b72cb75242a3d844 , < 4b6313cf99b0d51b49aeaea98ec76ca8161ecb80 (git)
Linux	Linux	Affected: 5.13 Unaffected: 0 , < 5.13 (semver) Unaffected: 5.17.13 , ≤ 5.17.* (semver) Unaffected: 5.18.2 , ≤ 5.18.* (semver) Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a029b02b47dd5bb87a21550d9d9a80cb4dd3f714",
              "status": "affected",
              "version": "69c087ba6225b574afb6e505b72cb75242a3d844",
              "versionType": "git"
            },
            {
              "lessThan": "d106a3e96fca30e44081eae9c27aab28fc132a46",
              "status": "affected",
              "version": "69c087ba6225b574afb6e505b72cb75242a3d844",
              "versionType": "git"
            },
            {
              "lessThan": "4b6313cf99b0d51b49aeaea98ec76ca8161ecb80",
              "status": "affected",
              "version": "69c087ba6225b574afb6e505b72cb75242a3d844",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.13",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.2",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix combination of jit blinding and pointers to bpf subprogs.\n\nThe combination of jit blinding and pointers to bpf subprogs causes:\n[   36.989548] BUG: unable to handle page fault for address: 0000000100000001\n[   36.990342] #PF: supervisor instruction fetch in kernel mode\n[   36.990968] #PF: error_code(0x0010) - not-present page\n[   36.994859] RIP: 0010:0x100000001\n[   36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7.\n[   37.004091] Call Trace:\n[   37.004351]  \u003cTASK\u003e\n[   37.004576]  ? bpf_loop+0x4d/0x70\n[   37.004932]  ? bpf_prog_3899083f75e4c5de_F+0xe3/0x13b\n\nThe jit blinding logic didn\u0027t recognize that ld_imm64 with an address\nof bpf subprogram is a special instruction and proceeded to randomize it.\nBy itself it wouldn\u0027t have been an issue, but jit_subprogs() logic\nrelies on two step process to JIT all subprogs and then JIT them\nagain when addresses of all subprogs are known.\nBlinding process in the first JIT phase caused second JIT to miss\nadjustment of special ld_imm64.\n\nFix this issue by ignoring special ld_imm64 instructions that don\u0027t have\nuser controlled constants and shouldn\u0027t be blinded."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T19:02:09.323Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a029b02b47dd5bb87a21550d9d9a80cb4dd3f714"
        },
        {
          "url": "https://git.kernel.org/stable/c/d106a3e96fca30e44081eae9c27aab28fc132a46"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b6313cf99b0d51b49aeaea98ec76ca8161ecb80"
        }
      ],
      "title": "bpf: Fix combination of jit blinding and pointers to bpf subprogs.",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49552",
    "datePublished": "2025-02-26T02:14:01.696Z",
    "dateReserved": "2025-02-26T02:08:31.590Z",
    "dateUpdated": "2026-05-11T19:02:09.323Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49562 (GCVE-0-2022-49562)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:14 – Updated: 2026-05-11 19:02

Title

KVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits Use the recently introduced __try_cmpxchg_user() to update guest PTE A/D bits instead of mapping the PTE into kernel address space. The VM_PFNMAP path is broken as it assumes that vm_pgoff is the base pfn of the mapped VMA range, which is conceptually wrong as vm_pgoff is the offset relative to the file and has nothing to do with the pfn. The horrific hack worked for the original use case (backing guest memory with /dev/mem), but leads to accessing "random" pfns for pretty much any other VM_PFNMAP case.

Severity

No CVSS data available.

Assigner

Linux

References

3 references

URL	Tags
https://git.kernel.org/stable/c/38b888911e8dc89b8…
https://git.kernel.org/stable/c/8089e5e1d18402fb8…
https://git.kernel.org/stable/c/f122dfe4476890d60…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: bd53cb35a3e9adb73a834a36586e9ad80e877767 , < 38b888911e8dc89b89d8147cfb1d2dbe6373bf78 (git) Affected: bd53cb35a3e9adb73a834a36586e9ad80e877767 , < 8089e5e1d18402fb8152d6b6815450a36fffa9b0 (git) Affected: bd53cb35a3e9adb73a834a36586e9ad80e877767 , < f122dfe4476890d60b8c679128cd2259ec96a24c (git)
Linux	Linux	Affected: 5.2 Unaffected: 0 , < 5.2 (semver) Unaffected: 5.17.13 , ≤ 5.17.* (semver) Unaffected: 5.18.2 , ≤ 5.18.* (semver) Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/mmu/paging_tmpl.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "38b888911e8dc89b89d8147cfb1d2dbe6373bf78",
              "status": "affected",
              "version": "bd53cb35a3e9adb73a834a36586e9ad80e877767",
              "versionType": "git"
            },
            {
              "lessThan": "8089e5e1d18402fb8152d6b6815450a36fffa9b0",
              "status": "affected",
              "version": "bd53cb35a3e9adb73a834a36586e9ad80e877767",
              "versionType": "git"
            },
            {
              "lessThan": "f122dfe4476890d60b8c679128cd2259ec96a24c",
              "status": "affected",
              "version": "bd53cb35a3e9adb73a834a36586e9ad80e877767",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kvm/mmu/paging_tmpl.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.2"
            },
            {
              "lessThan": "5.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.17.*",
              "status": "unaffected",
              "version": "5.17.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.17.13",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.2",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits\n\nUse the recently introduced __try_cmpxchg_user() to update guest PTE A/D\nbits instead of mapping the PTE into kernel address space.  The VM_PFNMAP\npath is broken as it assumes that vm_pgoff is the base pfn of the mapped\nVMA range, which is conceptually wrong as vm_pgoff is the offset relative\nto the file and has nothing to do with the pfn.  The horrific hack worked\nfor the original use case (backing guest memory with /dev/mem), but leads\nto accessing \"random\" pfns for pretty much any other VM_PFNMAP case."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T19:02:21.080Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/38b888911e8dc89b89d8147cfb1d2dbe6373bf78"
        },
        {
          "url": "https://git.kernel.org/stable/c/8089e5e1d18402fb8152d6b6815450a36fffa9b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f122dfe4476890d60b8c679128cd2259ec96a24c"
        }
      ],
      "title": "KVM: x86: Use __try_cmpxchg_user() to update guest PTE A/D bits",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49562",
    "datePublished": "2025-02-26T02:14:06.515Z",
    "dateReserved": "2025-02-26T02:08:31.591Z",
    "dateUpdated": "2026-05-11T19:02:21.080Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49610 (GCVE-0-2022-49610)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:23 – Updated: 2026-05-23 15:22

Title

KVM: VMX: Prevent RSB underflow before vmenter

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: VMX: Prevent RSB underflow before vmenter On VMX, there are some balanced returns between the time the guest's SPEC_CTRL value is written, and the vmenter. Balanced returns (matched by a preceding call) are usually ok, but it's at least theoretically possible an NMI with a deep call stack could empty the RSB before one of the returns. For maximum paranoia, don't allow *any* returns (balanced or otherwise) between the SPEC_CTRL write and the vmenter. [ bp: Fix 32-bit build. ]

Severity

No CVSS data available.

Assigner

Linux

References

2 references

URL	Tags
https://git.kernel.org/stable/c/afd743f6dde87296c…
https://git.kernel.org/stable/c/07853adc29a058c5f…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: d28b387fb74da95d69d2615732f50cceb38e9a4d , < afd743f6dde87296c6f3414706964c491bb85862 (git) Affected: d28b387fb74da95d69d2615732f50cceb38e9a4d , < 07853adc29a058c5fd143c14e5ac528448a72ed9 (git) Affected: 44491a23b73789c0a914af4ea55ccf8968adf90b (git) Affected: fc6aae9f407810cb153a9133c28735871f9f0a16 (git) Affected: 3.16.57 , < 3.17 (semver) Affected: 4.4.168 , < 4.5 (semver)
Linux	Linux	Affected: 4.16 Unaffected: 0 , < 4.16 (semver) Unaffected: 5.18.14 , ≤ 5.18.* (semver) Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/asm-offsets.c",
            "arch/x86/kernel/cpu/bugs.c",
            "arch/x86/kvm/vmx/capabilities.h",
            "arch/x86/kvm/vmx/vmenter.S",
            "arch/x86/kvm/vmx/vmx.c",
            "arch/x86/kvm/vmx/vmx.h",
            "arch/x86/kvm/vmx/vmx_ops.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "afd743f6dde87296c6f3414706964c491bb85862",
              "status": "affected",
              "version": "d28b387fb74da95d69d2615732f50cceb38e9a4d",
              "versionType": "git"
            },
            {
              "lessThan": "07853adc29a058c5fd143c14e5ac528448a72ed9",
              "status": "affected",
              "version": "d28b387fb74da95d69d2615732f50cceb38e9a4d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "44491a23b73789c0a914af4ea55ccf8968adf90b",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "fc6aae9f407810cb153a9133c28735871f9f0a16",
              "versionType": "git"
            },
            {
              "lessThan": "3.17",
              "status": "affected",
              "version": "3.16.57",
              "versionType": "semver"
            },
            {
              "lessThan": "4.5",
              "status": "affected",
              "version": "4.4.168",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/asm-offsets.c",
            "arch/x86/kernel/cpu/bugs.c",
            "arch/x86/kvm/vmx/capabilities.h",
            "arch/x86/kvm/vmx/vmenter.S",
            "arch/x86/kvm/vmx/vmx.c",
            "arch/x86/kvm/vmx/vmx.h",
            "arch/x86/kvm/vmx/vmx_ops.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.14",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.57",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.168",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: VMX: Prevent RSB underflow before vmenter\n\nOn VMX, there are some balanced returns between the time the guest\u0027s\nSPEC_CTRL value is written, and the vmenter.\n\nBalanced returns (matched by a preceding call) are usually ok, but it\u0027s\nat least theoretically possible an NMI with a deep call stack could\nempty the RSB before one of the returns.\n\nFor maximum paranoia, don\u0027t allow *any* returns (balanced or otherwise)\nbetween the SPEC_CTRL write and the vmenter.\n\n  [ bp: Fix 32-bit build. ]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-23T15:22:32.065Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/afd743f6dde87296c6f3414706964c491bb85862"
        },
        {
          "url": "https://git.kernel.org/stable/c/07853adc29a058c5fd143c14e5ac528448a72ed9"
        }
      ],
      "title": "KVM: VMX: Prevent RSB underflow before vmenter",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49610",
    "datePublished": "2025-02-26T02:23:33.299Z",
    "dateReserved": "2025-02-26T02:21:30.417Z",
    "dateUpdated": "2026-05-23T15:22:32.065Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49635 (GCVE-0-2022-49635)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:23 – Updated: 2026-05-11 19:03

Title

drm/i915/selftests: fix subtraction overflow bug

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/i915/selftests: fix subtraction overflow bug On some machines hole_end can be small enough to cause subtraction overflow. On the other side (addr + 2 * min_alignment) can overflow in case of mock tests. This patch should handle both cases. (cherry picked from commit ab3edc679c552a466e4bf0b11af3666008bd65a2)

Severity

No CVSS data available.

Assigner

Linux

References

2 references

URL	Tags
https://git.kernel.org/stable/c/e8997d2d6b8d764e1…
https://git.kernel.org/stable/c/333991c4e66b3d4b5…

Impacted products

2 products

Vendor	Product	Version
Linux	Linux	Affected: e1c5f754067b594de58d387aa5873dec83b6c9fd , < e8997d2d6b8d764e12489f1af2a1ce1d7384ca2a (git) Affected: e1c5f754067b594de58d387aa5873dec83b6c9fd , < 333991c4e66b3d4b5613315f18016da80344f659 (git)
Linux	Linux	Affected: 4.12 Unaffected: 0 , < 4.12 (semver) Unaffected: 5.18.13 , ≤ 5.18.* (semver) Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/selftests/i915_gem_gtt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e8997d2d6b8d764e12489f1af2a1ce1d7384ca2a",
              "status": "affected",
              "version": "e1c5f754067b594de58d387aa5873dec83b6c9fd",
              "versionType": "git"
            },
            {
              "lessThan": "333991c4e66b3d4b5613315f18016da80344f659",
              "status": "affected",
              "version": "e1c5f754067b594de58d387aa5873dec83b6c9fd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/selftests/i915_gem_gtt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.12"
            },
            {
              "lessThan": "4.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.13",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/selftests: fix subtraction overflow bug\n\nOn some machines hole_end can be small enough to cause subtraction\noverflow. On the other side (addr + 2 * min_alignment) can overflow\nin case of mock tests. This patch should handle both cases.\n\n(cherry picked from commit ab3edc679c552a466e4bf0b11af3666008bd65a2)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T19:03:44.825Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e8997d2d6b8d764e12489f1af2a1ce1d7384ca2a"
        },
        {
          "url": "https://git.kernel.org/stable/c/333991c4e66b3d4b5613315f18016da80344f659"
        }
      ],
      "title": "drm/i915/selftests: fix subtraction overflow bug",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49635",
    "datePublished": "2025-02-26T02:23:45.744Z",
    "dateReserved": "2025-02-26T02:21:30.429Z",
    "dateUpdated": "2026-05-11T19:03:44.825Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CERTFR-2025-AVI-0920

Solutions

CVE-2022-49267 (GCVE-0-2022-49267)

CVE-2022-49306 (GCVE-0-2022-49306)

CVE-2022-49333 (GCVE-0-2022-49333)

CVE-2022-49420 (GCVE-0-2022-49420)

CVE-2022-49469 (GCVE-0-2022-49469)

CVE-2022-49504 (GCVE-0-2022-49504)

CVE-2022-49552 (GCVE-0-2022-49552)

CVE-2022-49562 (GCVE-0-2022-49562)

CVE-2022-49610 (GCVE-0-2022-49610)

CVE-2022-49635 (GCVE-0-2022-49635)

Tags

Sightings

Nomenclature