Analysis for CVE-2022-50274.yml CVE-2022-50310.yml CVE-2023-53235.yml CVE-2023-53241.yml CVE-2023-53329.yml CVE-2023-53368.yml CVE-2025-39702.yml CVE-2025-39711.yml CVE-2025-39746.yml CVE-2025-39790.yml CVE-2025-39955.yml

Author: Rohit Keshri

vulns/CVE-2022-50274.yml

@@ -0,0 +1,12 @@
+reachability: Local
+memory_corruption: yes
+bug_class: UAF
+impact: DoS
+privileges_required: yes
+notes:
+dvb_unregister_device() is known that prone to use-after-free.
+That is, the cleanup from dvb_unregister_device() releases the dvb_device
+even if there are pointers stored in file->private_data still refer to it.
+
+author: RedHat
+

vulns/CVE-2022-50310.yml

@@ -0,0 +1,13 @@
+reachability: Local
+memory_corruption: no
+bug_class: UAF
+impact: DoS
+privileges_required: no
+notes:
+A UAF issue in ip6mr_sk_done() when addrconf_init_net() failed
+If the initialization fails in calling addrconf_init_net(), devconf_all is
+the pointer that has been released. Then ip6mr_sk_done() is called to
+release the net, accessing devconf->mc_forwarding directly causes invalid
+pointer access.
+author: RedHat
+

vulns/CVE-2023-53235.yml

@@ -0,0 +1,12 @@
+reachability: Local
+memory_corruption: no
+bug_class: UAF
+impact: DoS
+privileges_required: yes
+notes:
+when using __drm_kunit_helper_alloc_drm_device() the driver may be
+dereferenced by device-managed resources up until the device is
+freed, which is typically later than the kunit-managed resource code
+frees it causing a UAF problem.
+author: RedHat
+

vulns/CVE-2023-53241.yml

@@ -0,0 +1,18 @@
+reachability: Local
+memory_corruption: no
+bug_class: Double Free
+impact: DoS / Info Leak
+privileges_required: no
+notes:
+For ops with "trivial" replies, nfsd4_encode_operation will shortcut
+most of the encoding work and skip to just marshalling up the status.
+One of the things it skips is calling op_release. This could cause a
+memory leak in the layoutget codepath if there is an error at an
+inopportune time.
+
+Have the compound processing engine always call op_release, even when
+op_func sets an error in op->status. With this change, we also need
+nfsd4_block_get_device_info_scsi to set the gd_device pointer to NULL
+on error to avoid a double free.
+author: RedHat
+

vulns/CVE-2023-53329.yml

@@ -0,0 +1,9 @@
+reachability: Local
+memory_corruption: no
+bug_class: Race
+impact: DoS
+privileges_required: no
+notes:
+A data race with the pwq->stats[] increment 
+author: RedHat
+

vulns/CVE-2023-53368.yml

@@ -0,0 +1,10 @@
+reachability: Local
+memory_corruption: no
+bug_class: Race
+impact: DoS
+privileges_required: yes
+notes:
+A race issue between cpu buffer write and swap, It is because the race between 
+writing event into cpu buffer and swapping cpu buffer through file per_cpu/cpu0/snapshot
+author: RedHat
+

vulns/CVE-2025-39702.yml

@@ -0,0 +1,10 @@
+reachability: Local
+memory_corruption: no
+bug_class: Info Leak
+impact: Info Leak
+privileges_required: no
+notes:
+MAC comparison to be constant-time, To prevent timing attacks, MACs need to be compared in constant time.
+Use the appropriate helper function for this.
+author: RedHat
+

vulns/CVE-2025-39711.yml

@@ -0,0 +1,21 @@
+reachability: Local
+memory_corruption: no
+bug_class: UAF
+impact: DoS
+privileges_required: Yes
+notes:
+A UAF was seen causing a crash at shutdown due to missing mei_cldev_disable() calls, 
+Both the ACE and CSI driver are missing a mei_cldev_disable() call in
+their remove() function.
+
+This causes the mei_cl client to stay part of the mei_device->file_list
+list even though its memory is freed by mei_cl_bus_dev_release() calling
+kfree(cldev->cl).
+
+This leads to a use-after-free when mei_vsc_remove() runs mei_stop()
+which first removes all mei bus devices calling mei_ace_remove() and
+mei_csi_remove() followed by mei_cl_bus_dev_release() and then calls
+mei_cl_all_disconnect() which walks over mei_device->file_list dereferecing
+the just freed cldev->cl.
+author: RedHat
+

vulns/CVE-2025-39746.yml

@@ -0,0 +1,11 @@
+reachability: Adjacent
+memory_corruption: no
+bug_class: Logic Error
+impact: DoS
+privileges_required: yes
+notes:
+DoS due to unreliable hardwere, In rare cases, ath10k may lose connection with the PCIe bus due to
+some unknown reasons, which could further lead to system crashes during
+resuming due to watchdog timeout.
+author: RedHat
+

vulns/CVE-2025-39790.yml

@@ -0,0 +1,12 @@
+reachability: Local
+memory_corruption: no
+bug_class: Double Free
+impact: DoS
+privileges_required: Yes
+notes:
+The host accesses an event ring while the device is
+updating it, the pointer inside of the event might still point to an old
+TRE. If the host uses the channel's xfer_cb() to directly free the buffer
+pointed to by the TRE, the buffer will be double-freed.
+author: RedHat
+