Linux Kernel Security Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved: iavf: free q_vectors before queues in iavf_disable_vf iavf_free_queues() clears adapter->num_active_queues, whichiavf_free_q_vectors() relies on, so swap the order of these two functioncalls in iavf_disable_vf(). This resolves a...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: thermal: Fix NULL pointer dereferences in of_thermal_ functions of_parse_thermal_zones() parses the thermal-zones node and registers athermal_zone device for each subnode. However, if a thermal zone isconsuming a thermal sensor and...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() When parsing the txq list in lpfc_drain_txq(), the driver attempts to passthe requests to the adapter. If such an attempt fails, a local "fail_msg"string is set and a log me...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: dpaa2-eth: fix use-after-free in dpaa2_eth_remove Access to netdev after free_netdev() will cause use-after-free bug.Move debug log before free_netdev() call to avoid it.
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: clk: sunxi-ng: Unregister clocks/resets when unbinding Currently, unbinding a CCU driver unmaps the device's MMIO region, whileleaving its clocks/resets and their providers registered. This can causea page fault later when some clo...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: usb: host: ohci-tmio: check return value after calling platform_get_resource() It will cause null-ptr-deref if platform_get_resource() returns NULL,we need check the return value.
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ALSA: gus: fix null pointer dereference on pointer block The pointer block return from snd_gf1_dma_next_block could benull, so there is a potential null pointer dereference issue.Fix this by adding a null check before dereference.
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Prevent dead task groups from regaining cfs_rq's Kevin is reporting crashes which point to a use-after-free of a cfs_rqin update_blocked_averages(). Initial debugging revealed that we'velive cfs_rq's (on_list=1) in an a...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: usb: typec: tipd: Remove WARN_ON in tps6598x_block_read Calling tps6598x_block_read with a higher than allowed len can behandled by just returning an error. There's no need to crash systemswith panic-on-warn enabled.
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: fix null pointer dereference on pointer cs_desc The pointer cs_desc return from snd_usb_find_clock_source couldbe null, so there is a potential null pointer dereference issue.Fix this by adding a null check before ...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Update error handler for UCTX and UMEM In the fast unload flow, the device state is set to internal error,which indicates that the driver started the destroy process.In this case, when a destroy command is being executed,...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: hugetlb, userfaultfd: fix reservation restore on userfaultfd error Currently in the is_continue case in hugetlb_mcopy_atomic_pte(), if webail out using "goto out_release_unlock;" in the cases where idx >=size, or !huge_pte_none(...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: kTLS, Fix crash in RX resync flow For the TLS RX resync flow, we maintain a list of TLS contextsthat require some attention, to communicate their resync informationto the HW.Here we fix list corruptions, by protecting th...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: advansys: Fix kernel pointer leak Pointers should be printed with %p or %px rather than cast to 'unsignedlong' and printed with %lx. Change %lx to %p to print the hashed pointer.
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails Check for a valid hv_vp_index array prior to derefencing hv_vp_index whensetting Hyper-V's TSC change callback. If Hyper-V setup failed inhyperv_init(), the...
5.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: selinux: fix NULL-pointer dereference when hashtab allocation fails When the hash table slot array allocation fails in hashtab_init(),h->size is left initialized with a non-zero value, but the h->htablepointer is NULL. This m...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix out-of-bound read in resp_report_tgtpgs() The following issue was observed running syzkaller: BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:377 [inline]BUG: KASAN: slab-out-of-bounds in sg_co...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: fix kernel panic when do reboot When do system reboot, it calls dwc3_shutdown and the whole debugfsfor dwc3 has removed first, when the gadget tries to do deinit, andremove debugfs for its endpoints, it meets NULL ...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mm/slub: actually fix freelist pointer vs redzoning It turns out that SLUB redzoning ("slub_debug=Z") checks froms->object_size rather than from s->inuse (which is normally bumped tomake room for the freelist pointer), so a c...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix vlan tunnel dst refcnt when egressing The egress tunnel code uses dst_clone() and directly sets the resultwhich is wrong because the entry might have 0 refcnt or be already deleted,causing number of problems. It al...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix vlan tunnel dst null pointer dereference This patch fixes a tunnel_dst null pointer dereference due to locklessaccess in the tunnel egress path. When deleting a vlan tunnel thetunnel_dst pointer is set to NULL with...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: ll_temac: Make sure to free skb when it is completely used With the skb pointer piggy-backed on the TX BD, we have a simple andefficient way to free the skb buffer when the frame has been transmitted.But in order to avoid free...
6.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix deadlock in AP/VLAN handling Syzbot reports that when you have AP_VLAN interfaces that are upand close the AP interface they belong to, we get a deadlock. Nosurprise - since we dev_close() them with the wiphy mutex he...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer Both Intel and AMD consider it to be architecturally valid for XRSTOR tofail with #PF but nonetheless change the register state. The actualconditions under whic...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Prevent state corruption in __fpu__restore_sig() The non-compacted slowpath uses __copy_from_user() and copies the entireuser buffer into the kernel buffer, verbatim. This means that the kernelbuffer may now contain entire...
7.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: x86/ioremap: Map EFI-reserved memory as encrypted for SEV Some drivers require memory that is marked as EFI boot servicesdata. In order for this memory to not be re-used by the kernelafter ExitBootServices(), efi_mem_reserve() is u...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: PCI: aardvark: Fix kernel panic during PIO transfer Trying to start a new PIO transfer by writing value 0 in PIO_START registerwhen previous transfer has not yet completed (which is indicated by value 1in PIO_START) causes an Exter...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Immediately reset the MMU context when the SMM flag is cleared Immediately reset the MMU context when the vCPU's SMM flag is cleared sothat the SMM flag in the MMU role is always synchronized with the vCPU'sflag. If RSM f...
6.6CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: fix memory leak in mcba_usb Syzbot reported memory leak in SocketCAN driver for Microchip CAN BUSAnalyzer Tool. The problem was in unfreed usb_coherent. In mcba_usb_start() 20 coherent buffers are allocated and there...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: can: j1939: fix Use-after-Free, hold skb ref while in use This patch fixes a Use-after-Free found by the syzbot. The problem is that a skb is taken from the per-session skb queue,without incrementing the ref count. This leads to a ...
8.4CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: regulator: rt4801: Fix NULL pointer dereference if priv->enable_gpios is NULL devm_gpiod_get_array_optional may return NULL if no GPIO was assigned.
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: phy: phy-mtk-tphy: Fix some resource leaks in mtk_phy_init() Use clk_disable_unprepare() in the error path of mtk_phy_init() to fixsome resource leaks.
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: ethernet: fix potential use-after-free in ec_bhf_remove static void ec_bhf_remove(struct pci_dev *dev){...struct ec_bhf_priv *priv = netdev_priv(net_dev); unregister_netdev(net_dev); free_netdev(net_dev); pci_iounmap(dev, priv...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: cdc_eem: fix tx fixup skb leak when usbnet transmit a skb, eem fixup it in eem_tx_fixup(),if skb_copy_expand() failed, it return NULL,usbnet_start_xmit() will have no chance to free original skb. fix it by free orginal skb in ...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: hamradio: fix memory leak in mkiss_close My local syzbot instance hit memory leak inmkiss_open()[1]. The problem was in missingfree_netdev() in mkiss_close(). In mkiss_open() netdevice is allocated and thenregistered, but in m...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix memory leak in ip_mc_add1_src BUG: memory leakunreferenced object 0xffff888101bc4c00 (size 32):comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s)hex dump (first 32 bytes):00 00 00 00 00 00 00 00 00 00 ...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: usb: fix possible use-after-free in smsc75xx_bind The commit 46a8b29c6306 ("net: usb: fix memory leak in smsc75xx_bind")fails to clean up the work scheduled in smsc75xx_reset->smsc75xx_set_multicast, which leads to use-afte...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: qrtr: fix OOB Read in qrtr_endpoint_post Syzbot reported slab-out-of-bounds Read inqrtr_endpoint_post. The problem was in wrongsize type: if (len != ALIGN(size, 4) + hdrlen) goto err; If size from qrtr_hdr is 4294967293 (0xfff...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ethtool: strset: fix message length calculation Outer nest for ETHTOOL_A_STRSET_STRINGSETS is not accounted for.This may result in ETHTOOL_MSG_STRSET_GET producing a warning like: calculated message payload length (684) not suffici...
7.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mptcp: fix soft lookup in subflow_error_report() Maxim reported a soft lookup in subflow_error_report(): watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [swapper/0:0]RIP: 0010:native_queued_spin_lock_slowpathRSP: 0018:ffffa859c00...
7.8CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: sch_cake: Fix out of bounds when parsing TCP options and header The TCP option parser in cake qdisc (cake_get_tcpopt andcake_tcph_may_drop) could read one byte out of bounds. When the lengthis 1, the execution flow gets into the lo...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mptcp: Fix out of bounds when parsing TCP options The TCP option parser in mptcp (mptcp_get_options) could read one byteout of bounds. When the length is 1, the execution flow gets into theloop, reads one byte of the opcode, and if...
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: synproxy: Fix out of bounds when parsing TCP options The TCP option parser in synproxy (synproxy_parse_options) could readone byte out of bounds. When the length is 1, the execution flow getsinto the loop, reads one byte...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix page reclaim for dead peer hairpin When adding a hairpin flow, a firmware-side send queue is created forthe peer net device, which claims some host memory pages for itsinternal ring buffer. If the peer net device is ...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix use-after-free of encap entry in neigh update handler Function mlx5e_rep_neigh_update() wasn't updated to accommodate rtnl lockremoval from TC filter update path and properly handle concurrent encapentry insertion/de...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: udp: fix race between close() and udp_abort() Kaustubh reported and diagnosed a panic in udp_lib_lookup().The root cause is udp_abort() racing with close(). Bothracing functions acquire the socket lock, but udp{v6}_destroy_sock()re...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: rds: fix memory leak in rds_recvmsg Syzbot reported memory leak in rds. The problemwas in unputted refcount in case of error. int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,int msg_flags){... if (!rds_nex...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: ipv4: fix memory leak in netlbl_cipsov4_add_std Reported by syzkaller:BUG: memory leakunreferenced object 0xffff888105df7000 (size 64):comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s)hex dump (first 32 bytes):...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mac80211: fix skb length check in ieee80211_scan_rx() Replace hard-coded compile-time constants for header length checkwith dynamic determination based on the frame type. Otherwise, wehit a validation WARN_ON in cfg80211 later. [st...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: batman-adv: Avoid WARN_ON timing related checks The soft/batadv interface for a queued OGM can be changed during the timethe OGM was queued for transmission and when the OGM is actuallytransmitted by the worker. But WARN_ON must be...
6.7AI Score
0.0004EPSS