Linux Kernel Security Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved: thermal: intel: hfi: Add syscore callbacks for system-wide PM The kernel allocates a memory buffer and provides its location to thehardware, which uses it to update the HFI table. This allocation occursduring boot and remains const...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix late derefrence 'dsc' check in 'link_set_dsc_pps_packet()' In link_set_dsc_pps_packet(), 'struct display_stream_compressor *dsc'was dereferenced in a DC_LOGGER_INIT(dsc->ctx->logger); before the 'dsc'NULL...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix variable deferencing before NULL check in edp_setup_replay() In edp_setup_replay(), 'struct dc *dc' & 'struct dmub_replay *replay'was dereferenced before the pointer 'link' & 'replay' NULL check. Fixes the belo...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix the null pointer when load rlc firmware If the RLC firmware is invalid because of wrong header size,the pointer to the rlc firmware is released in functionamdgpu_ucode_request. There will be a null pointer errorin s...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: sr9800: Add check for usbnet_get_endpoints Add check for usbnet_get_endpoints() and return the error if it failsin order to transfer the error.
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: pds_core: Fix possible double free in error handling path When auxiliary_device_add() returns error and then callsauxiliary_device_uninit(), Callback function pdsc_auxbus_dev_releasecalls kfree(padev) to free memory. We should...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: usb: misc: ljca: Fix double free in error handling path When auxiliary_device_add() returns error and then callsauxiliary_device_uninit(), callback function ljca_auxdev_releasecalls kfree(auxdev->dev.platform_data) to free the p...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ALSA: sh: aica: reorder cleanup operations to avoid UAF bugs The dreamcastcard->timer could schedule the spu_dma_work and thespu_dma_work could also arm the dreamcastcard->timer. When the snd_pcm_substream is closing, the aic...
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: Fix memory leak in posix_clock_open() If the clk ops.open() function returns an error, we don't release thepccontext we allocated for this clock. Re-organize the code slightly to make it all more obvious.
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix use-after-free bug The bug can be triggered by sending a single amdgpu_gem_userptr_ioctlto the AMDGPU DRM driver on any ASICs with an invalid address and size.The bug was reported by Joonkyo Jung [email protected]....
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/sched: fix null-ptr-deref in init entity The bug can be triggered by sending an amdgpu_cs_wait_ioctlto the AMDGPU DRM driver on any ASICs with valid context.The bug was reported by Joonkyo Jung [email protected] .For exampl...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bcachefs: grab s_umount only if snapshotting When I was testing mongodb over bcachefs with compression,there is a lockdep warning when snapshotting mongodb data volume. $ cat test.shprog=bcachefs $prog subvolume create /mnt/data$pr...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: xhci: handle isoc Babble and Buffer Overrun events properly xHCI 4.9 explicitly forbids assuming that the xHC has released itsownership of a multi-TRB TD when it reports an error on one of theearly TRBs. Yet the driver makes such a...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Implement bounds check for stream encoder creation in DCN301 'stream_enc_regs' array is an array of dcn10_stream_enc_registersstructures. The array is initialized with four elements, correspondingto the four calls ...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Add NULL test for 'timing generator' in 'dcn21_set_pipe()' In "u32 otg_inst = pipe_ctx->stream_res.tg->inst;"pipe_ctx->stream_res.tg could be NULL, it is relying on the caller toensure the tg is not NULL.
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix 'panel_cntl' could be null in 'dcn21_set_backlight_level()' 'panel_cntl' structure used to control the display panel could be null,dereferencing it could lead to a null pointer access. Fixes the below:drivers/g...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tipc: Check the bearer type before calling tipc_udp_nl_bearer_add() syzbot reported the following general protection fault [1]: general protection fault, probably for non-canonical address 0xdffffc0000000010: 0000 [#1] PREEMPT SMP ...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: hwmon: (coretemp) Fix out-of-bounds memory access Fix a bug that pdata->cpu_map[] is set before out-of-bounds check.The problem might be triggered on systems with more than 128 cores perpackage.
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tunnels: fix out of bounds access when building IPv6 PMTU error If the ICMPv6 error is built from a non-linear skb we get the followingsplat, BUG: KASAN: slab-out-of-bounds in do_csum+0x220/0x240Read of size 4 at addr ffff88811d402...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix RCU use in TDLS fast-xmit This looks up the link under RCU protection, but isn'tguaranteed to actually have protection. Fix that.
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: check for valid hw_pp in dpu_encoder_helper_phys_cleanup The commit 8b45a26f2ba9 ("drm/msm/dpu: reserve cdm blocks for writebackin case of YUV output") introduced a smatch warning about anotherconditional block in dpu_...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: reject configurations that cause integer overflow Reject bogus configs where internal token counter wraps around.This only occurs with very very large requests, such as 17gbyte/s. Its better to reject this rat...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs theunderlying driver to remove its flow offload callback from theassociated filter block using the 'FLOW_BLOCK_UNBIND' comm...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: arm64: entry: fix ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD Currently the ARM64_WORKAROUND_SPECULATIVE_UNPRIV_LOAD workaround isn'tquite right, as it is supposed to be applied after the last explicitmemory access, but is immediately...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-orderedwith the following blk_mq_get_driver_tag() in case of getting drivertag failure. Then in __sbitmap_queue_wake_up(), waitque...
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get_mca_entry()' Fixes the below: drivers/gpu/drm/amd/amdgpu/amdgpu_mca.c:377 amdgpu_mca_smu_get_mca_entry() warn: variable dereferenced before ...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations Disallow families other than NFPROTO_{IPV4,IPV6,INET}. Disallow layer 4 protocol with no ports, since destination port is amandatory attribute for thi...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups During memory error injection test on kernels >= v6.4, the kernel panicslike below. However, this issue couldn't be reproduced on kernels <= v6.3. mce: [Hardwar...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ppp_async: limit MRU to 64K syzbot triggered a warning [1] in __alloc_pages(): WARN_ON_ONCE_GFP(order > MAX_PAGE_ORDER, gfp) Willem fixed a similar issue in commit c0a2a1b0d631 ("ppp: limit MRU to 64K") Adopt the same sanity che...
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. syzbot reported a warning [0] in __unix_gc() with a repro, whichcreates a socketpair and sends one socket's fd to itself using thepeer. socketpair(AF_UNIX, SOCK_STREAM...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix delayed ACKs to not set the reference serial number Fix the construction of delayed ACKs to not set the reference serial numberas they can't be used as an RTT reference.
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section The .compat section is a dummy PE section that contains the address ofthe 32-bit entrypoint of the 64-bit kernel image if it is bootable from32-bit firmware (i.e....
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: inet: read sk->sk_family once in inet_recv_error() inet_recv_error() is called without holding the socket lock. IPv6 socket could mutate to IPv4 with IPV6_ADDRFORMsocket option and trigger a KCSAN warning.
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: atlantic: Fix DMA mapping for PTP hwts ring Function aq_ring_hwts_rx_alloc() maps extra AQ_CFG_RXDS_DEF bytesfor PTP HWTS ring but then generic aq_ring_free() does not take thisinto account.Create and use a specific function t...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netdevsim: avoid potential loop in nsim_dev_trap_report_work() Many syzbot reports include the following trace [1] If nsim_dev_trap_report_work() can not grab the mutex,it should rearm itself at least one jiffie later. [1]Sending N...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: improve CSA/ECSA connection refusal As mentioned in the previous commit, we pretty quickly foundthat some APs have ECSA elements stuck in their probe response,so using that to not attempt to connect while CSA is hap...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: detect stuck ECSA element in probe resp We recently added some validation that we don't try toconnect to an AP that is currently in a channel switchprocess, since that might want the channel to be quietor we might n...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: xgmac: fix handling of DPP safety error for DMA channels Commit 56e58d6c8a56 ("net: stmmac: Implement Safety Features inXGMAC core") checks and reports safety errors, but leaves theData Path Parity Errors for each chan...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix potential bug in end_buffer_async_write According to a syzbot report, end_buffer_async_write(), which handles thecompletion of block device writes, may detect abnormal condition of thebuffer async_write flag and cause a...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: fs/proc: do_task_stat: use sig->stats_lock to gather the threads/children stats lock_task_sighand() can trigger a hard lockup. If NR_CPUS threads calldo_task_stat() at the same time and the process has NR_THREADS, it willspin wi...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: xen/events: close evtchn after mapping cleanup shutdown_pirq and startup_pirq are not taking theirq_mapping_update_lock because they can't due to lock inversion. Bothare called with the irq_desc->lock being taking. The lock orde...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: fs,hugetlb: fix NULL pointer dereference in hugetlbs_fill_super When configuring a hugetlb filesystem via the fsconfig() syscall, there isa possible NULL dereference in hugetlbfs_fill_super() caused by assigningNULL to ctx->hsta...
5.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ceph: prevent use-after-free in encode_cap_msg() In fs/ceph/caps.c, in encode_cap_msg(), "use after free" error wascaught by KASAN at this line - 'ceph_buffer_get(arg->xattr_buf);'. Thisimplies before the refcount could be incre...
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: stmmac: protect updates of 64-bit statistics counters As explained by a comment in <linux/u64_stats_sync.h>, write side of structu64_stats_sync must ensure mutual exclusion, or one seqcount update couldbe lost on 32-bit ...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Fix circular locking dependency The rule inside kvm enforces that the vcpu->mutex is taken inside kvm->lock. The rule is violated by the pkvm_create_hyp_vm() which acquiresthe kvm->lock while already holding th...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: smb: Fix regression in writes when non-standard maximum write size negotiated The conversion to netfs in the 6.3 kernel caused a regression whenmaximum write size is set by the server to an unexpected value which isnot a multiple o...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: fix a crash when we run out of stations A DoS tool that injects loads of authentication frames made our APcrash. The iwl_mvm_is_dup() function couldn't find the per-queuedup_data which was not allocated. The roo...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix double-free bug The storage for the TLV PC register data wasn't done like allthe other storage in the drv->fw area, which is cleared at theend of deallocation. Therefore, the freeing must also be donedifferent...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: crypto: ccp - Fix null pointer dereference in __sev_platform_shutdown_locked The SEV platform device can be shutdown with a null psp_master,e.g., using DEBUG_TEST_DRIVER_REMOVE. Found using KASAN: [ 137.148210] ccp 0000:23:00.1: en...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix hang in nilfs_lookup_dirty_data_buffers() Syzbot reported a hang issue in migrate_pages_batch() called by mbind()and nilfs_lookup_dirty_data_buffers() called in the log writer of nilfs2. While migrate_pages_batch() lock...
6.2AI Score
0.0004EPSS