Linux Security Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved: tcp: Use refcount_inc_not_zero() in tcp_twsk_unique(). Anderson Nascimento reported a use-after-free splat in tcp_twsk_unique()with nice analysis. Since commit ec94c2696f0b ("tcp/dccp: avoid one atomic operation fortimewait hashdan...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tcp: defer shutdown(SEND_SHUTDOWN) for TCP_SYN_RECV sockets TCP_SYN_RECV state is really special, it is only used bycross-syn connections, mostly used by fuzzers. In the following crash [1], syzbot managed to trigger a divideby zer...
9.8CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ARM: 9381/1: kasan: clear stale stack poison We found below OOB crash: [ 33.452494] ==================================================================[ 33.453513] BUG: KASAN: stack-out-of-bounds in refresh_cpu_vm_stats.constprop.0+...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: blk-iocost: do not WARN if iocg was already offlined In iocg_pay_debt(), warn is triggered if 'active_list' is empty, whichis intended to confirm iocg is active when it has debt. However, warncan be triggered during a blkcg or disk...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Don't free ring buffers that couldn't be re-encrypted In CoCo VMs it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resu...
7.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: uio_hv_generic: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resulting memory is shared. Caller...
6.2CVSS
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: hv_netvsc: Don't free decrypted memory In CoCo VMs it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resulting memory is shared. Callers nee...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Track decrypted status in vmbus_gpadl In CoCo VMs it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resulting memory is ...
8.1CVSS
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: Drivers: hv: vmbus: Leak pages if set_memory_encrypted() fails In CoCo VMs it is possible for the untrusted host to causeset_memory_encrypted() or set_memory_decrypted() to fail such that anerror is returned and the resulting memor...
8.1CVSS
6.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Skip on writeback when it's not applicable [WHY]dynamic memory safety error detector (KASAN) catches and generates errormessages "BUG: KASAN: slab-out-of-bounds" as writeback connector does notsupport certain featu...
7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nfc: llcp: fix nfc_llcp_setsockopt() unsafe copies syzbot reported unsafe calls to copy_from_sockptr() [1] Use copy_safe_from_sockptr() instead. [1] BUG: KASAN: slab-out-of-bounds in copy_from_sockptr_offset include/linux/sockptr.h...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: blk-iocost: avoid out of bounds shift UBSAN catches undefined behavior in blk-iocost, where sometimesiocg->delay is shifted right by a number that is too large,resulting in undefined behavior on some architectures. [ 186.556576]...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: block: fix overflow in blk_ioctl_discard() There is no check for overflow of 'start + len' in blk_ioctl_discard().Hung task occurs if submit an discard ioctl with the following param:start = 0x80000000000ff000, len = 0x8000000000ff...
7.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Check bloom filter map value size This patch adds a missing check to bloom filter creating, rejectingvalues above KMALLOC_MAX_SIZE. This brings the bloom map in line withmany other map types. The lack of this protection can ca...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Remove spin_lock_bh while releasing resources after upload The session resources are used by FW and driver when session is offloaded,once session is uploaded these resources are not used. The lock is notrequired as th...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Avoid memcpy field-spanning write WARNING When the "storcli2 show" command is executed for eHBA-9600, mpi3mr driverprints this WARNING message: memcpy: detected field-spanning write (size 128) of single field "bsg_rep...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: guard against invalid STA ID on removal Guard against invalid station IDs in iwl_mvm_mld_rm_sta_id as that wouldresult in out-of-bounds array accesses. This prevents issues should thedriver get into a bad state ...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: read txq->read_ptr under lock If we read txq->read_ptr without lock, we can read the samevalue twice, then obtain the lock, and reclaim from thereto two different places, but crucially reclaim the sameentry twi...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: fs/9p: fix uninitialized values during inode evict If an iget fails due to not being able to retrieve informationfrom the server then the inode structure is only partiallyinitialized. When the inode gets evicted, references tounini...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Release hbalock before calling lpfc_worker_wake_up() lpfc_worker_wake_up() calls the lpfc_work_done() routine, which takes thehbalock. Thus, lpfc_worker_wake_up() should not be called while holding thehbalock to avoid p...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: swiotlb: initialise restricted pool list_head when SWIOTLB_DYNAMIC=y Using restricted DMA pools (CONFIG_DMA_RESTRICTED_POOL=y) in conjunctionwith dynamic SWIOTLB (CONFIG_SWIOTLB_DYNAMIC=y) leads to the followingcrash when initialis...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: LPAR panics during boot up with a frozen PE At the time of LPAR boot up, partition firmware provides Open Firmwareproperty ibm,dma-window for the PE. This property is provided on the PCIbus the PE is attached...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ipv4: Fix uninit-value access in __ip_make_skb() KMSAN reported uninit-value access in __ip_make_skb() [1]. __ip_make_skb()tests HDRINCL to know if the skb has icmphdr. However, HDRINCL can cause arace condition. If calling setsock...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: s390/qeth: Fix kernel panic after setting hsuid Symptom:When the hsuid attribute is set for the first time on an IQD Layer3device while the corresponding network interface is already UP,the kernel will try to execute a napi functio...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: core: reject skb_copy(_expand) for fraglist GSO skbs SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they becomeinvalid. Return NULL if such an skb is passed to skb_copy orskb_copy_expand, in order to prevent a crash o...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: spi: fix null pointer dereference within spi_sync If spi_sync() is called with the non-empty queue and the same spi_messageis then reused, the complete callback for the message remains set whilethe context is cleared, leading to a ...
5.5CVSS
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: s390/cio: Ensure the copied buf is NUL terminated Currently, we allocate a lbuf-sized kernel buffer and copy lbuf fromuserspace to that buffer. Later, we use scanf on this buffer but we don'tensure that the string is terminated ins...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: thermal/debugfs: Prevent use-after-free from occurring after cdev removal Since thermal_debug_cdev_remove() does not run under cdev->lock, it canrun in parallel with thermal_debug_cdev_state_update() and it may freethe struct th...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nsh: Restore skb->{protocol,data,mac_header} for outer header in nsh_gso_segment(). syzbot triggered various splats (see [0] and links) by a crafted GSOpacket of VIRTIO_NET_HDR_GSO_UDP layering the following protocols: ETH_P_802...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bna: ensure the copied buf is NUL terminated Currently, we allocate a nbytes-sized kernel buffer and copy nbytes fromuserspace to that buffer. Later, we use sscanf on this buffer but we don'tensure that the string is terminated ins...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ice: ensure the copied buf is NUL terminated Currently, we allocate a count-sized kernel buffer and copy count bytesfrom userspace to that buffer. Later, we use sscanf on this buffer but wedon't ensure that the string is terminated...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: efi/unaccepted: touch soft lockup during memory accept Commit 50e782a86c98 ("efi/unaccepted: Fix soft lockups caused byparallel memory acceptance") has released the spinlock so other CPUs cando memory acceptance in parallel and not...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: xdp: use flags field to disambiguate broadcast redirect When redirecting a packet using XDP, the bpf_redirect_map() helper will setup the redirect destination information in struct bpf_redirect_info (usingthe __bpf_xdp_redirect_map...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf, skmsg: Fix NULL pointer dereference in sk_psock_skb_ingress_enqueue Fix NULL pointer data-races in sk_psock_skb_ingress_enqueue() whichsyzbot reported [1]. [1]BUG: KCSAN: data-race in sk_psock_drop / sk_psock_skb_ingress_enque...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nfs: Handle error of rpc_proc_register() in nfs_net_init(). syzkaller reported a warning 0 triggered while destroying immaturenetns. rpc_proc_register() was called in init_nfs_fs(), but its errorhas been ignored since at least the ...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: pinctrl: core: delete incorrect free in pinctrl_enable() The "pctldev" struct is allocated in devm_pinctrl_register_and_init().It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),so freeing it in pinctrl_enable...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: don't free NULL coalescing rule If the parsing fails, we can dereference a NULL pointer here.
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: qca: fix firmware check error path A recent commit fixed the code that parses the firmware files beforedownloading them to the controller but introduced a memory leak in casethe sanity checks ever fail. Make sure to free...
7.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: fs/proc/task_mmu: fix loss of young/dirty bits during pagemap scan make_uffd_wp_pte() was previously doing: pte = ptep_get(ptep);ptep_modify_prot_start(ptep);pte = pte_mkuffd_wp(pte);ptep_modify_prot_commit(ptep, pte); But if anoth...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: Reapply "drm/qxl: simplify qxl_fence_wait" This reverts commit 07ed11afb68d94eadd4ffc082b97c2331307c5ea. Stephen Rostedt reports:"I went to run my tests on my VMs and the tests hung on boot up.Unfortunately, the most I ever got out...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix neighbour and rtable leak in smc_ib_find_route() In smc_ib_find_route(), the neighbour found by neigh_lookup() and rtableresolved by ip_route_output_flow() are not released or put before return.It may cause the refcoun...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: phonet: fix rtm_phonet_notify() skb allocation fill_route() stores three components in the skb: struct rtmsg RTA_DST (u8) RTA_OIF (u32) Therefore, rtm_phonet_notify() should use NLMSG_ALIGN(sizeof(struct rtmsg)) +nla_total_size(1) ...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: qibfs: fix dentry leak simple_recursive_removal() drops the pinning references to all positivesin subtree. For the cases when its argument has been kept alive bythe pinning alone that's exactly the right thing to do, but herethe ar...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/xe/xe_migrate: Cast to output precision before multiplying operands Addressing potential overflow in result of multiplication of two lowerprecision (u32) operands before widening it to higher precision(u64). -v2Fix commit messa...
7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: amd/amdkfd: sync all devices to wait all processes being evicted If there are more than one device doing reset in parallel, the firstdevice will call kfd_suspend_all_processes() to evict all processeson all devices, this call takes...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: firewire: ohci: mask bus reset interrupts between ISR and bottom half In the FireWire OHCI interrupt handler, if a bus reset interrupt hasoccurred, mask bus reset interrupts until bus_reset_work has serviced andcleared the interrup...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: range check cp bad op exception interrupts Due to a CP interrupt bug, bad packet garbage exception codes are raised.Do a range check so that the debugger and runtime do not receive garbagecodes.Update the user api to gu...
6.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Move NPIV's transport unregistration to after resource clean up There are cases after NPIV deletion where the fabric switch still believesthe NPIV is logged into the fabric. This occurs when a vport isunregistered befor...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-v2: Check for non-NULL vCPU in vgic_v2_parse_attr() vgic_v2_parse_attr() is responsible for finding the vCPU that matchesthe user-provided CPUID, which (of course) may not be valid. If the IDis invalid, kvm_get_vcp...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tipc: fix a possible memleak in tipc_buf_append __skb_linearize() doesn't free the skb when it fails, so move'*buf = NULL' after __skb_linearize(), so that the skb can befreed on the err path.
6.6AI Score
0.0004EPSS