mozilla: WASM type confusion involving ArrayTypes

The Mozilla Foundation's Security Advisory: A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability...

mozilla: WASM type confusion involving ArrayTypes

The Mozilla Foundation's Security Advisory: A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability...

mozilla: WASM type confusion involving ArrayTypes

The Mozilla Foundation's Security Advisory: A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability...

mozilla: WASM type confusion involving ArrayTypes

The Mozilla Foundation's Security Advisory: A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability...

CVE-2024-44967 drm/mgag200: Bind I2C lifetime to DRM device

In the Linux kernel, the following vulnerability has been resolved: drm/mgag200: Bind I2C lifetime to DRM device Managed cleanup with devmaddactionorreset will release the I2C adapter when the underlying Linux device goes away. But the connector still refers to it, so this cleanup leaves behind a...

CVE-2024-44967 drm/mgag200: Bind I2C lifetime to DRM device

In the Linux kernel, the following vulnerability has been resolved: drm/mgag200: Bind I2C lifetime to DRM device Managed cleanup with devmaddactionorreset will release the I2C adapter when the underlying Linux device goes away. But the connector still refers to it, so this cleanup leaves behind a...

gorilla/schema: Potential memory exhaustion attack due to sparse slice deserialization

A flaw was found in the gorilla/schema package. Running schema.Decoder.Decode on a struct that has a field of type struct... opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of schema.Decoder.Decode on a struct with arrays ...

UBUNTU-CVE-2024-8385

A difference in the handling of StructFields and ArrayTypes in WASM could be used to trigger an exploitable type confusion vulnerability. This vulnerability affects Firefox 130, Firefox ESR 128.2, and Thunderbird 128.2...

CVE-2024-43900

In the Linux kernel, the following vulnerability has been resolved: media: xc2028: avoid use-after-free in loadfirmwarecb syzkaller reported use-after-free in loadfirmwarecb 1. The reason is because the module allocated a struct tuner in tunerprobe, and then the module initialization failed, the...

CVE-2024-43900

CVE-2024-43900 affects the Linux kernel’s media: xc2028 path. A worker thread can dereference a freed dvb_frontend object after tuner_probe() allocates a tuner and module removal frees the dvb_frontend, leading to a use-after-free in load_firmware_cb() triggered by request_firmware_work_func. The...

CVE-2024-43900 media: xc2028: avoid use-after-free in load_firmware_cb()

In the Linux kernel, the following vulnerability has been resolved: media: xc2028: avoid use-after-free in loadfirmwarecb syzkaller reported use-after-free in loadfirmwarecb 1. The reason is because the module allocated a struct tuner in tunerprobe, and then the module initialization failed, the...

CVE-2022-48913

In the Linux kernel, the following vulnerability has been resolved: blktrace: fix use after free for struct blktrace When tracing the whole disk, 'dropped' and 'msg' will be created under 'q-debugfsdir' and 'bt-dir' is NULL, thus blktracefree won't remove those files. What's worse, the following...

CVE-2022-48910

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ensure we call ipv6mcdown at most once There are two reasons for addrconfnotify to be called with NETDEVDOWN: either the network device is actually going down, or IPv6 was disabled on the interface. If either of them...

CVE-2022-48913 blktrace: fix use after free for struct blk_trace

In the Linux kernel, the following vulnerability has been resolved: blktrace: fix use after free for struct blktrace When tracing the whole disk, 'dropped' and 'msg' will be created under 'q-debugfsdir' and 'bt-dir' is NULL, thus blktracefree won't remove those files. What's worse, the following...

CVE-2022-48910 net: ipv6: ensure we call ipv6_mc_down() at most once

In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ensure we call ipv6mcdown at most once There are two reasons for addrconfnotify to be called with NETDEVDOWN: either the network device is actually going down, or IPv6 was disabled on the interface. If either of them...

CVE-2023-52894

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: fncm: fix potential NULL ptr deref in ncmbitrate In Google internal bug 265639009 we've received an as yet unreproducible crash report from an aarch64 GKI 5.10.149-android13 running device. AFAICT the source code is...

CVE-2023-52906

In the Linux kernel, the following vulnerability has been resolved: net/sched: actmpls: Fix warning during failed attribute validation The 'TCAMPLSLABEL' attribute is of 'NLAU32' type, but has a validation type of 'NLAVALIDATEFUNCTION'. This is an invalid combination according to the comment abov...

CVE-2023-52894 usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate()

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: fncm: fix potential NULL ptr deref in ncmbitrate In Google internal bug 265639009 we've received an as yet unreproducible crash report from an aarch64 GKI 5.10.149-android13 running device. AFAICT the source code is...

CVE-2023-52894

CVE-2023-52894 affects the Linux kernel USB gadget f_ncm path, where a NULL cdev->gadget dereferences max_speed in ncm_bitrate() during SPEED_NOTIFY handling. The issue was observed on an aarch64 GKI 5.10.149-android13 crash (NULL pointer dereference at 0x5c) and is linked to ncm_do_notify() S...

CVE-2024-42285

In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix a use-after-free related to destroying CM IDs iwconnreqhandler associates a new struct rdmaidprivate connid with an existing struct iwcmid cmid as follows: connid-cmid.iw = cmid; cmid-context = connid; cmid-cmhandl...