(RHSA-2024:0575) Important: kernel security and bug fix update

The kernel packages contain the Linux kernel, the core of any Linux operating system.

Security Fix(es):

• kernel: bpf: Incorrect verifier pruning leads to unsafe code paths being incorrectly marked as safe (CVE-2023-2163)

• kernel: net/sched: sch_qfq component can be exploited if in qfq_change_agg function happens qfq_enqueue overhead (CVE-2023-3611)

• kernel: tun: bugs for oversize packet when napi frags enabled in tun_napi_alloc_frags (CVE-2023-3812)

• kernel: use after free in unix_stream_sendpage (CVE-2023-4622)

• kernel: net/sched: sch_hfsc UAF (CVE-2023-4623)

• kernel: use after free in nvmet_tcp_free_crypto in NVMe (CVE-2023-5178)

• kernel: out-of-bounds write in qfq_change_class function (CVE-2023-31436)

• kernel: IGB driver inadequate buffer size for frames larger than MTU (CVE-2023-45871)

• kernel: Race Condition leading to UAF in Unix Socket could happen in sk_receive_queue (BZ#2230094)

• kernel: speculative pointer dereference in do_prlimit() in kernel/sys.c (CVE-2023-0458)

• kernel: HID: check empty report_list in hid_validate_values() (CVE-2023-1073)

• kernel: hid: Use After Free in asus_remove() (CVE-2023-1079)

• kernel: Possible use-after-free since the two fdget() during vhost_net_set_backend() (CVE-2023-1838)

• kernel: UAF during login when accessing the shost ipaddress (CVE-2023-2162)

• kernel: use after free in vcs_read in drivers/tty/vt/vc_screen.c due to race (CVE-2023-3567)

• kernel: xfrm: NULL pointer dereference in xfrm_update_ae_params() (CVE-2023-3772)

• kernel: smsusb: use-after-free caused by do_submit_urb() (CVE-2023-4132)

• kernel: A heap out-of-bounds write (CVE-2023-5717)

• kernel: denial of service in atm_tc_enqueue in net/sched/sch_atm.c due to type confusion (CVE-2023-23455)

• kernel: mpls: double free on sysctl allocation failure (CVE-2023-26545)

• kernel: Denial of service issue in az6027 driver in drivers/media/usb/dev-usb/az6027.c (CVE-2023-28328)

• kernel: net: qcom/emac: race condition leading to use-after-free in emac_remove() (CVE-2023-33203)

• kernel: saa7134: race condition leading to use-after-free in saa7134_finidev() (CVE-2023-35823)

• kernel: dm1105: race condition leading to use-after-free in dm1105_remove.c() (CVE-2023-35824)

• kernel: r592: race condition leading to use-after-free in r592_remove() (CVE-2023-35825)

• kernel: SEV-ES local priv escalation (CVE-2023-46813)

• kernel: net/tls: tls_is_tx_ready() checked list_entry (CVE-2023-1075)

• kernel: use-after-free bug in remove function xgene_hwmon_remove (CVE-2023-1855)

• kernel: Use after free bug in r592_remove (CVE-2023-3141)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

• [RHEL 8.9] Proactively backport locking fixes from upstream (BZ#2235393)