Linux Kernel Security Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved: netfilter: validate user input for expected length I got multiple syzbot reports showing old bugs exposedby BPF after commit 20f2505fb436 ("bpf: Try to avoid kzallocin cgroup/{s,g}etsockopt") setsockopt() @optlen argument should be...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: discard table flag update with pending basechain deletion Hook unregistration is deferred to the commit phase, same occurs withhook updates triggered by the table dormant flag. When both commands arecombined, ...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() nft_unregister_flowtable_type() within nf_flow_inet_module_exit() canconcurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().And thhere ...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: flush pending destroy work before exit_net release Similar to 2c9f0293280e ("netfilter: nf_tables: flush pending destroywork before netlink notifier") to address a race between exit_net andthe destroy workqueu...
6.1CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: reject new basechain after table flag update When dormant flag is toggled, hooks are disabled in the commit phase byiterating over current chains in table (existing and new). The following configuration allows...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: mana: Fix Rx DMA datasize and skb_over_panic mana_get_rxbuf_cfg() aligns the RX buffer's DMA datasize to bemultiple of 64. So a packet slightly bigger than mtu+14, say 1536,can be received and cause skb_over_panic. Sample dmes...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/rds: fix possible cp null dereference cp might be null, calling cp->cp_conn would produce null dereference [Simon Horman adds:] Analysis: cp is a parameter of __rds_rdma_map and is not reassigned. The following call-sites pa...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: x86/bpf: Fix IP after emitting call depth accounting Adjust the IP passed to emit_patch so it calculates the correct offsetfor the CALL instruction if x86_call_depth_emit_accounting emits code.Otherwise we will skip some instructio...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: selinux: avoid dereference of garbage after mount failure In case kern_mount() fails and returns an error pointer return in theerror branch instead of continuing and dereferencing the error pointer. While on it drop the never read ...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Protect against int overflow for stack access size This patch re-introduces protection against the size of access to stackmemory being negative; the access size can appear negative as a resultof overflowing its signed int repr...
7.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mlxbf_gige: call request_irq() after NAPI initialized The mlxbf_gige driver encounters a NULL pointer exception inmlxbf_gige_open() when kdump is enabled. The sequence to reproducethe exception is as follows:a) enable kdumpb) trigg...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tls: get psock ref after taking rxlock to avoid leak At the start of tls_sw_recvmsg, we take a reference on the psock, andthen call tls_rx_reader_lock. If that fails, we return directlywithout releasing the reference. Instead of ad...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: wwan: t7xx: Split 64bit accesses to fix alignment issues Some of the registers are aligned on a 32bit boundary, causingalignment faults on 64bit platforms. Unable to handle kernel paging request at virtual address ffffffc084a1...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tcp: properly terminate timers for kernel sockets We had various syzbot reports about tcp timers firing afterthe corresponding netns has been dismantled. Fortunately Josef Bacik could trigger the issue more often,and could test a p...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ice: fix memory corruption bug with suspend and rebuild The ice driver would previously panic after suspend. This is causedfrom the driver only calling the ice_vsi_free_q_vectors() function byitself, when it is suspending. Since co...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: rfi: fix potential response leaks If the rx payload length check fails, or if kmemdup() fails,we still need to free the command response. Fix that.
6.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: pick the version of SESSION_PROTECTION_NOTIF When we want to know whether we should look for the mac_id or thelink_id in struct iwl_mvm_session_prot_notif, we should look at theversion of SESSION_PROTECTION_NOTI...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nfsd: Fix error cleanup path in nfsd_rename() Commit a8b0026847b8 ("rename(): avoid a deadlock in the case of parentshaving no common ancestor") added an error bail out path. However thispath does not drop the remount protection th...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix uninit-value in nci_dev_up and nci_ntf_packet syzbot reported the following uninit-value access issue [1][2]: nci_rx_work() parses and processes received packet. When the payloadlength is zero, each message type handl...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: dma-buf: Fix NULL pointer dereference in sanitycheck() If due to a memory allocation failure mock_chain() returns NULL, it ispassed to dma_fence_enable_sw_signaling() resulting in NULL pointerdereference there. Call dma_fence_enabl...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: s390/bpf: Fix bpf_plt pointer arithmetic Kui-Feng Lee reported a crash on s390x triggered by thedummy_st_ops/dummy_init_ptr_arg test [1]: [<0000000000000002>] 0x2[<00000000009d5cde>] bpf_struct_ops_test_run+0x156/0x250[...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: randomize_kstack: Improve entropy diffusion The kstack_offset variable was really only ever using the low bits forkernel stack offset entropy. Add a ror32() to increase bit diffusion.
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: adding lock to protect encoder context list Add a lock for the ctx_list, to avoid accessing a NULL pointerwithin the 'vpu_enc_ipi_handler' function when the ctx_list hasbeen deleted due to an unexpected beh...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: adding lock to protect decoder context list Add a lock for the ctx_list, to avoid accessing a NULL pointerwithin the 'vpu_dec_ipi_handler' function when the ctx_list hasbeen deleted due to an unexpected beh...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix oops when HEVC init fails The stateless HEVC decoder saves the instance pointer in the contextregardless if the initialization worked or not. This caused a use afterfree, when the pointer is freed in ca...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: fbmon: prevent division by zero in fb_videomode_from_videomode() The expression htotal * vtotal can have a zero value onoverflow. It is necessary to prevent division by zero like infb_var_to_videomode(). Found by Linux Verification...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: usb: typec: ucsi: Limit read size on v1.2 Between UCSI 1.2 and UCSI 2.0, the size of the MESSAGE_IN region wasincreased from 16 to 256. In order to avoid overflowing reads for oldersystems, add a mechanism to use the read UCSI vers...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: block: prevent division by zero in blk_rq_stat_sum() The expression dst->nr_samples + src->nr_samples mayhave zero value on overflow. It is necessary to adda check to avoid division by zero. Found by Linux Verification Center...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: crypto: iaa - Fix async_disable descriptor leak The disable_async paths of iaa_compress/decompress() don't free idxddescriptors in the async_disable case. Currently this only happens inthe testcases where req->dst is set to null...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm: Check output polling initialized before disabling In drm_kms_helper_poll_disable() check if output pollingsupport is initialized before disabling polling. If not flagthis as a warning.Additionally in drm_mode_config_helper_sus...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amd/amdgpu: Fix potential ioremap() memory leaks in amdgpu_device_init() This ensures that the memory mapped by ioremap for adev->rmmio, isproperly handled in amdgpu_device_init(). If the function exits earlydue to an error,...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: rcu/nocb: Fix WARN_ON_ONCE() in the rcu_nocb_bypass_lock() For the kernels built with CONFIG_RCU_NOCB_CPU_DEFAULT_ALL=y andCONFIG_RCU_LAZY=y, the following scenarios will trigger WARN_ON_ONCE()in the rcu_nocb_bypass_lock() and rcu_...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() The call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return anunsuccessful status. In such cases, the elsiocb is not issued, thecompletion is not called, and thus the...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Skip do PCI error slot reset during RAS recovery Why:The PCI error slot reset maybe triggered after inject ue to UMC multi times, thiscaused system hang.[ 557.371857] amdgpu 0000:af:00.0: amdgpu: GPU reset succeeded, tr...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/vc4: don't check if plane->state->fb == state->fb Currently, when using non-blocking commits, we can see the followingkernel warning: [ 110.908514] ------------[ cut here ]------------[ 110.908529] refcount_t: underflo...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btintel: Fix null ptr deref in btintel_read_version If hci_cmd_sync_complete() is triggered and skb is NULL, thenhdev->req_skb is NULL, which will cause this issue.
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/smc: reduce rtnl pressure in smc_pnet_create_pnetids_list() Many syzbot reports show extreme rtnl pressure, and many of them hintthat smc acquires rtnl in netns creation for no good reason [1] This patch returns early from smc_...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: send: handle path ref underflow in header iterate_inode_ref() Change BUG_ON to proper error handling if building the path bufferfails. The pointers are not printed so we don't accidentally leak kerneladdresses.
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: handle chunk tree lookup error in btrfs_relocate_sys_chunks() The unhandled case in btrfs_relocate_sys_chunks() loop is a corruption,as it could be caused only by two impossible conditions: at first the search key is set up ...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: check A-MSDU format more carefully If it looks like there's another subframe in the A-MSDUbut the header isn't fully there, we can end up readingdata out of bounds, only to discard later. Make this abit more careful...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: decrease MHI channel buffer length to 8KB Currently buf_len field of ath11k_mhi_config_qca6390 is assignedwith 0, making MHI use a default size, 64KB, to allocate channelbuffers. This is likely to fail in some scenari...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: dma-direct: Leak pages on dma_set_decrypted() failure On TDX it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resulting memory is shared. C...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: pstore/zone: Add a null pointer check to the psz_kmsg_read kasprintf() returns a pointer to dynamically allocated memorywhich can be NULL upon failure. Ensure the allocation was successfulby checking the pointer validity.
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: pmdomain: imx8mp-blk-ctrl: imx8mp_blk: Add fdcc clock to hdmimix domain According to i.MX8MP RM and HDMI ADD, the fdcc clock is part ofhdmi rx verification IP that should not enable for HDMI TX.But actually if the clock is disabled...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: pmdomain: ti: Add a null pointer check to the omap_prm_domain_init devm_kasprintf() returns a pointer to dynamically allocated memorywhich can be NULL upon failure. Ensure the allocation was successfulby checking the pointer validi...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: VMCI: Fix memcpy() run-time warning in dg_dispatch_as_host() Syzkaller hit 'WARNING in dg_dispatch_as_host' bug. memcpy: detected field-spanning write (size 56) of single field "&dg_info->msg"at drivers/misc/vmw_vmci/vmci_datagr...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: phy: phy_device: Prevent nullptr exceptions on ISR If phydev->irq is set unconditionally, checkfor valid interrupt handler or fall back to polling mode to preventnullptr exceptions in interrupt service routine.
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: rtw89: fix null pointer access when abort scan During cancel scan we might use vif that weren't scanning.Fix this by using the actual scanning vif.
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: dyndbg: fix old BUG_ON in >control parser Fix a BUG_ON from 2009. Even if it looks "unreachable" (I didn'treally look), lets make sure by removing it, doing pr_err and return-EINVAL instead.
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bcachefs: Check for journal entries overruning end of sb clean section Fix a missing bounds check in superblock validation. Note that we don't yet have repair code for this case - repair code forindividual items is generally low pr...
8.4CVSS
6.8AI Score
0.0004EPSS