959 matches found
CVE-2023-52894
CVE-2023-52894 affects the Linux kernel USB gadget f_ncm path, where a NULL cdev->gadget dereferences max_speed in ncm_bitrate() during SPEED_NOTIFY handling. The issue was observed on an aarch64 GKI 5.10.149-android13 crash (NULL pointer dereference at 0x5c) and is linked to ncm_do_notify() S...
CVE-2024-42285
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix a use-after-free related to destroying CM IDs iwconnreqhandler associates a new struct rdmaidprivate connid with an existing struct iwcmid cmid as follows: connid-cmid.iw = cmid; cmid-context = connid; cmid-cmhandl...
CVE-2024-43827
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add null check before access structs In enablephantomplane, we should better check null pointer before accessing various structs...
CVE-2024-43816
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Revise lpfcprepembedio routine with proper endian macro usages On big endian architectures, it is possible to run into a memory out of bounds pointer dereference when FCP targets are zoned. In lpfcprepembedio, the...
CVE-2024-43817
In the Linux kernel, the following vulnerability has been resolved: net: missing check virtio Two missing check in virtionethdrtoskb allowed syzbot to crash kernels again 1. After the skbsegment function the buffer may become non-linear nrfrags != 0, but since the SKBTXSHAREDFRAG flag is not set...
CVE-2024-43817
In the Linux kernel, the following vulnerability has been resolved: net: missing check virtio Two missing check in virtionethdrtoskb allowed syzbot to crash kernels again 1. After the skbsegment function the buffer may become non-linear nrfrags != 0, but since the SKBTXSHAREDFRAG flag is not set...
CVE-2024-43817 net: missing check virtio
In the Linux kernel, the following vulnerability has been resolved: net: missing check virtio Two missing check in virtionethdrtoskb allowed syzbot to crash kernels again 1. After the skbsegment function the buffer may become non-linear nrfrags != 0, but since the SKBTXSHAREDFRAG flag is not set...
CVE-2024-42272
In the Linux kernel, the following vulnerability has been resolved: sched: actct: take care of padding in struct zoneshtkey Blamed commit increased lookup key size from 2 bytes to 16 bytes, because zoneshtkey got a struct net pointer. Make sure rhashtablelookup is not using the padding bytes whic...
CVE-2024-42302 PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal
In the Linux kernel, the following vulnerability has been resolved: PCI/DPC: Fix use-after-free on concurrent DPC and hot-removal Keith reports a use-after-free when a DPC event occurs concurrently to hot-removal of the same portion of the hierarchy: The dpchandler awaits readiness of the seconda...
CVE-2024-42285 RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix a use-after-free related to destroying CM IDs iwconnreqhandler associates a new struct rdmaidprivate connid with an existing struct iwcmid cmid as follows: connid-cmid.iw = cmid; cmid-context = connid; cmid-cmhandl...
CVE-2024-42285 RDMA/iwcm: Fix a use-after-free related to destroying CM IDs
In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix a use-after-free related to destroying CM IDs iwconnreqhandler associates a new struct rdmaidprivate connid with an existing struct iwcmid cmid as follows: connid-cmid.iw = cmid; cmid-context = connid; cmid-cmhandl...
CVE-2024-42283
The CVE-2024-42283 issue in the Linux kernel concerns net/nexthop: two reserved fields in the nexthop_grp were not initialized by nla_put_nh_group(), allowing garbage to leak from the kernel. The public description notes these fields are reserved and currently unused, but their non‑zero values ca...
CVE-2024-42283 net: nexthop: Initialize all fields in dumped nexthops
In the Linux kernel, the following vulnerability has been resolved: net: nexthop: Initialize all fields in dumped nexthops struct nexthopgrp contains two reserved fields that are not initialized by nlaputnhgroup, and carry garbage. This can be observed e.g. with strace edited for clarity: ip...
CVE-2024-42272
The connected IBM Security Bulletin confirms CVE-2024-42272 as a Linux kernel issue fixed in sched: act_ct. The root cause was the padding in zones_ht_key after a patch widened the rhashtable key from 2 to 16 bytes; rhashtable_lookup() could read uninitialized padding bytes. The fix ensures paddi...
CVE-2024-42272 sched: act_ct: take care of padding in struct zones_ht_key
In the Linux kernel, the following vulnerability has been resolved: sched: actct: take care of padding in struct zoneshtkey Blamed commit increased lookup key size from 2 bytes to 16 bytes, because zoneshtkey got a struct net pointer. Make sure rhashtablelookup is not using the padding bytes whic...
CVE-2024-42272 sched: act_ct: take care of padding in struct zones_ht_key
In the Linux kernel, the following vulnerability has been resolved: sched: actct: take care of padding in struct zoneshtkey Blamed commit increased lookup key size from 2 bytes to 16 bytes, because zoneshtkey got a struct net pointer. Make sure rhashtablelookup is not using the padding bytes whic...
CVE-2024-42272 sched: act_ct: take care of padding in struct zones_ht_key
In the Linux kernel, the following vulnerability has been resolved: sched: actct: take care of padding in struct zoneshtkey Blamed commit increased lookup key size from 2 bytes to 16 bytes, because zoneshtkey got a struct net pointer. Make sure rhashtablelookup is not using the padding bytes whic...
CVE-2024-42272
In the Linux kernel, the following vulnerability has been resolved: sched: actct: take care of padding in struct zoneshtkey Blamed commit increased lookup key size from 2 bytes to 16 bytes, because zoneshtkey got a struct net pointer. Make sure rhashtablelookup is not using the padding bytes whic...
gorilla/schema: Potential memory exhaustion attack due to sparse slice deserialization
A flaw was found in the gorilla/schema package. Running schema.Decoder.Decode on a struct that has a field of type struct... opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of schema.Decoder.Decode on a struct with arrays ...
gorilla/schema: Potential memory exhaustion attack due to sparse slice deserialization
A flaw was found in the gorilla/schema package. Running schema.Decoder.Decode on a struct that has a field of type struct... opens it up to malicious attacks regarding memory allocations, taking advantage of the sparse slice functionality. Any use of schema.Decoder.Decode on a struct with arrays ...