Linux Kernel Security Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved: tcp: Fix shift-out-of-bounds in dctcp_update_alpha(). In dctcp_update_alpha(), we use a module parameter dctcp_shift_gas follows: alpha -= min_not_zero(alpha, alpha >> dctcp_shift_g);...delivered_ce <<= (10 - dctcp_shif...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: protect folio::private when attaching extent buffer folios [BUG]Since v6.8 there are rare kernel crashes reported by various people,the common factor is bad page status error messages like this: BUG: Bad page state in proces...
7.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nfc: nci: Fix uninit-value in nci_rx_work syzbot reported the following uninit-value access issue [1] nci_rx_work() parses received packet from ndev->rx_q. It should bevalidated header size, payload size and total packet size be...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: blk-cgroup: fix list corruption from reorder of WRITE ->lqueued __blkcg_rstat_flush() can be run anytime, especially when blk_cgroup_bio_startis being executed. If WRITE of ->lqueued is re-ordered with READ of 'bisc->lnode...
8.4CVSS
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: genirq/irqdesc: Prevent use-after-free in irq_find_at_or_after() irq_find_at_or_after() dereferences the interrupt descriptor which isreturned by mt_find() while neither holding sparse_irq_lock nor RCU readlock, which means the des...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ALSA: hda/cs_dsp_ctl: Use private_free for control cleanup Use the control private_free callback to free the associated datablock. This ensures that the memory won't leak, whatever way thecontrol gets destroyed. The original implem...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails Calling a6xx_destroy() before adreno_gpu_init() leads to a null pointerdereference on: msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL); as gpu->p...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: bridge: xmit: make sure we have at least eth header len bytes syzbot triggered an uninit value[1] error in bridge device's xmit pathby sending a short (less than ETH_HLEN bytes) skb. To fix it check ifwe can actually pull that...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Fix kmemleak in rdma_core observed during blktests nvme/rdma use siw When running blktests nvme/rdma, the following kmemleak issue will appear. kmemleak: Kernel memory leak detector initialized (mempool available:36041)km...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is calledwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.In that case, "roundup_p...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: of: module: add buffer overflow check in of_modalias() In of_modalias(), if the buffer happens to be too small even for the 1stsnprintf() call, the len parameter will become negative and str parameter(if not NULL initially) will po...
9.8CVSS
7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: RDMA/mana_ib: boundary check before installing cq callbacks Add a boundary check inside mana_ib_install_cq_cb to prevent index overflow.
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: lib/test_hmm.c: handle src_pfns and dst_pfns allocation failure The kcalloc() in dmirror_device_evict_chunk() will return null if thephysical memory has run out. As a result, if src_pfns or dst_pfns isdereferenced, the null pointer...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: RDMA/rxe: Fix seg fault in rxe_comp_queue_pkt In rxe_comp_queue_pkt() an incoming response packet skb is enqueued to theresp_pkts queue and then a decision is made whether to run the completertask inline or schedule it. Finally the...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: RDMA/hns: Fix UAF for cq async event The refcount of CQ is not protected by locks. When CQ asynchronousevents and CQ destruction are concurrent, CQ may have been released,which will cause UAF. Use the xa_lock() to protect the CQ re...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm: vc4: Fix possible null pointer dereference In vc4_hdmi_audio_init() of_get_address() may returnNULL which is later dereferenced. Fix this bug by adding NULL check. Found by Linux Verification Center (linuxtesting.org) with SVA...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: media: atomisp: ssh_css: Fix a null-pointer dereference in load_video_binaries The allocation failure of mycs->yuv_scaler_binary in load_video_binaries()is followed with a dereference of mycs->yuv_scaler_binary after thefollo...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm: bridge: cdns-mhdp8546: Fix possible null pointer dereference In cdns_mhdp_atomic_enable(), the return value of drm_mode_duplicate() isassigned to mhdp_state->current_mode, and there is a dereference of it indrm_mode_set_nam...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/mediatek: Add 0 size check to mtk_drm_gem_obj Add a check to mtk_drm_gem_init if we attempt to allocate a GEM objectof 0 bytes. Currently, no such check exists and the kernel will panic ifa userspace application attempts to all...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ASoC: kirkwood: Fix potential NULL dereference In kirkwood_dma_hw_params() mv_mbus_dram_info() returns NULL ifCONFIG_PLAT_ORION macro is not defined.Fix this bug by adding NULL check. Found by Linux Verification Center (linuxtestin...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ASoC: mediatek: Assign dummy when codec not specified for a DAI link MediaTek sound card drivers are checking whether a DAI link is presentand used on a board to assign the correct parameters and this is doneby checking the codec D...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix potential index out of bounds in color transformation function Fixes index out of bounds issue in the color transformation function.The issue could occur when the index 'i' exceeds the number of transferfunctio...
7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: fec: remove .ndo_poll_controller to avoid deadlocks There is a deadlock issue found in sungem driver, please refer to thecommit ac0a230f719b ("eth: sungem: remove .ndo_poll_controller to avoiddeadlocks"). The root cause of the...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ax25: Fix reference count leak issue of net_device There is a reference count leak issue of the object "net_device" inax25_dev_device_down(). When the ax25 device is shutting down, theax25_dev_device_down() drops the reference coun...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Discard command completions in internal error Fix use after free when FW completion arrives while device is ininternal error state. Avoid calling completion handler in this case,since the device will flush the command int...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Add a timeout to acquire the command queue semaphore Prevent forced completion handling on an entry that has not yet beenassigned an index, causing an out of bounds access on idx = -22.Instead of waiting indefinitely for ...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Reload only IB representors upon lag disable/enable On lag disable, the bond IB device along with all of itsrepresentors are destroyed, and then the slaves' representors get reloaded. In case the slave IB representor load...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix overwriting ct original tuple for ICMPv6 OVS_PACKET_CMD_EXECUTE has 3 main attributes: OVS_PACKET_ATTR_KEY - Packet metadata in a netlink format. OVS_PACKET_ATTR_PACKET - Binary packet content. OVS_PACKET_ATTR...
7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: qedf: Ensure the copied buf is NUL terminated Currently, we allocate a count-sized kernel buffer and copy count fromuserspace to that buffer. Later, we use kstrtouint on this buffer but wedon't ensure that the string is termi...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: bfa: Ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes fromuserspace to that buffer. Later, we use sscanf on this buffer but we don'tensure that the string is terminat...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: kunit: Fix kthread reference There is a race condition when a kthread finishes after the deadline andbefore the call to kthread_stop(), which may lead to use after free.
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: Avoid address calculations via out of bounds array indexing Before request->channels[] can be used, request->n_channels must be set.Additionally, address calculations for memory after the "channels" arrayneed t...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7996: fix potential memory leakage when reading chip temperature Without this commit, reading chip temperature will cause memory leakage.
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Add BPF_PROG_TYPE_CGROUP_SKB attach type enforcement in BPF_LINK_CREATE bpf_prog_attach uses attach_type_to_prog_type to enforce properattach type for BPF_PROG_TYPE_CGROUP_SKB. link_create usesbpf_prog_get and relies on bpf_pr...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: ar5523: enable proper endpoint verification Syzkaller reports [1] hitting a warning about an endpoint in usenot having an expected type to it. Fix the issue by checking for the existence of all properendpoints with their acco...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix verifier assumptions about socket->sk The verifier assumes that 'sk' field in 'struct socket' is validand non-NULL when 'socket' pointer itself is trusted and non-NULL.That may not be the case when socket was just creat...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: carl9170: add a proper sanity check for endpoints Syzkaller reports [1] hitting a warning which is caused by presenceof a wrong endpoint type at the URB sumbitting stage. While therewas a check for a specific 4th endpoint, si...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: hns3: Fix out-of-bound access when valid event group The perf tool allows users to create event groups through followingcmd [1], but the driver does not check whether the array index is outof bounds when writing...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi_pcie: Fix out-of-bound access when valid event group The perf tool allows users to create event groups through followingcmd [1], but the driver does not check whether the array index is out ofbounds when writing ...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix potential glock use-after-free on unmount When a DLM lockspace is released and there ares still locks in thatlockspace, DLM will unlock those locks automatically. Commitfb6791d100d1b started exploiting this behavior to sp...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/tsens: Fix null pointer dereference compute_intercept_slope() is called from calibrate_8960() (in tsens-8960.c)as compute_intercept_slope(priv, p1, NULL, ONE_PT_CALIB) which lead to nullpointer dereference (if DEBUG...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix out-of-bound access of qmi_invoke_handler() Currently, there is no terminator entry for ath12k_qmi_msg_handlers hencefacing below KASAN warning, ==================================================================BU...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: cppc_cpufreq: Fix possible null pointer dereference cppc_cpufreq_get_rate() and hisi_cppc_cpufreq_get_rate() can be called fromdifferent places with various parameters. So cpufreq_cpu_get() can returnnull as 'policy' in some circum...
7.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: libbpf: Prevent null-pointer dereference when prog to load has no BTF In bpf_objec_load_prog(), there's no guarantee that obj->btf is non-NULLwhen passing it to btf__fd(), and this function does not perform anycheck before deref...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: pcie: handle randbuf allocation failure The kzalloc() in brcmf_pcie_download_fw_nvram() will return nullif the physical memory has run out. As a result, if we useget_random_bytes() to generate random bytes in the ra...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: rcu: Fix buffer overflow in print_cpu_stall_info() The rcuc-starvation output from print_cpu_stall_info() might overflow thebuffer if there is a huge difference in jiffies difference. The situationmight seem improbable, but compute...
7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: rcu-tasks: Fix show_rcu_tasks_trace_gp_kthread buffer overflow There is a possibility of buffer overflow inshow_rcu_tasks_trace_gp_kthread() if counters, passedto sprintf() are huge. Counter numbers, needed for thisare unrealistica...
7.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ecryptfs: Fix buffer size for tag 66 packet The 'TAG 66 Packet Format' description is missing the cipher code andchecksum fields that are packed into the message packet. As a result,the buffer allocated for the packet is 3 bytes to...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: crypto: bcm - Fix pointer arithmetic In spu2_dump_omd() value of ptr is increased by ciph_key_leninstead of hash_iv_len which could lead to going beyond thebuffer boundaries.Fix this bug by changing ciph_key_len to hash_iv_len. Fou...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: epoll: be better about file lifetimes epoll can call out to vfs_poll() with a file pointer that may race withthe last 'fput()'. That would make f_count go down to zero, and whilethe ep->mtx locking means that the resulting file ...
6.5AI Score
0.0004EPSS