Linux Kernel Security Vulnerabilities - January
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921e: fix crash in chip reset fail In case of drv own fail in reset, we may need to run mac_reset severaltimes. The sequence would trigger system crash as the log below. Because we do not re-enable/schedule "tx_napi"...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: vdpa: ifcvf: Do proper cleanup if IFCVF init fails ifcvf_mgmt_dev leaks memory if it is not freed beforereturning. Call is made to correct return statementso memory does not leak. ifcvf_init_hw does not takecare of this so it is ne...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: cxl/region: Fix null pointer dereference for resetting decoder Not all decoders have a reset callback. The CXL specification allows a host bridge with a single root port tohave no explicit HDM decoders. Currently the region driver ...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: pinctrl: single: fix potential NULL dereference Added checking of pointer "function" in pcs_set_mux().pinmux_generic_get_function() can return NULL and the pointer"function" was dereferenced without checking against NULL. Found by ...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ice: switch: fix potential memleak in ice_add_adv_recipe() When ice_add_special_words() fails, the 'rm' is not released, which willlead to a memory leak. Fix this up by going to 'err_unroll' label. Compile tested only.
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix a possible null pointer dereference In radeon_fp_native_mode(), the return value of drm_mode_duplicate()is assigned to mode, which will lead to a NULL pointer dereferenceon failure of drm_mode_duplicate(). Add a che...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tipc: improve size validations for received domain records The function tipc_mon_rcv() allows a node to receive and processdomain_record structs from peer nodes to track their views of thenetwork topology. This patch verifies that ...
6.5AI Score
0.009EPSS
In the Linux kernel, the following vulnerability has been resolved: ext4: fix error handling in ext4_fc_record_modified_inode() Current code does not fully takes care of krealloc() error case, whichcould lead to silent memory corruption or a kernel bug. This patchfixes that. Also it cleans up some ...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/pt: Fix crash with stop filters in single-range mode Add a check for !buf->single before calling pt_buffer_region_size in aplace where a missing check can cause a kernel crash. Fixes a bug introduced by commit 670...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Use VM_MAP instead of VM_ALLOC for ringbuf After commit 2fd3fb0be1d1 ("kasan, vmalloc: unpoison VM_ALLOC pagesafter mapping"), non-VM_ALLOC mappings will be marked as accessiblein __get_vm_area_node() when KASAN is enabled. Bu...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe Running tests with a debug kernel shows that bnx2fc_recv_frame() ismodifying the per_cpu lport stats counters in a non-mpsafe way. Just boota debug kernel and run the bnx2fc driver wit...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd938x: fix incorrect used of portid Mixer controls have the channel id in mixer->reg, which is not sameas port id. port id should be derived from chan_info array.So fix this. Without this, its possible that we co...
9.8CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ASoC: max9759: fix underflow in speaker_gain_control_put() Check for negative values of "priv->gain" to prevent an out of boundsaccess. The concern is that these might come from the user via:-> snd_ctl_elem_write_user()-> ...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm: mxsfb: Fix NULL pointer dereference mxsfb should not ever dereference the NULL pointer whichdrm_atomic_get_new_bridge_state is allowed to return.Assume a fixed format instead.
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net, neigh: Do not trigger immediate probes on NUD_FAILED from neigh_managed_work syzkaller was able to trigger a deadlock for NTF_MANAGED entries [0]: kworker/0:16/14617 is trying to acquire lock:ffffffff8d4dd370 (&tbl->lock){+...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: macsec: Fix offload support for NETDEV_UNREGISTER event Current macsec netdev notify handler handles NETDEV_UNREGISTER event byreleasing relevant SW resources only, this causes resources leak in caseof macsec HW offload, as th...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/smc: Forward wakeup to smc socket waitqueue after fallback When we replace TCP with SMC and a fallback occurs, there may besome socket waitqueue entries remaining in smc socket->wq, suchas eppoll_entries inserted by userspac...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: ieee802154: ca8210: Stop leaking skb's Upon error the ieee802154_xmit_complete() helper is not called. Onlyieee802154_wake_queue() is called manually. We then leak the skbstructure. Free the skb structure upon error before ret...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: spi: uniphier: fix reference count leak in uniphier_spi_probe() The issue happens in several error paths in uniphier_spi_probe().When either dma_get_slave_caps() or devm_spi_register_master() returnsan error code, the function forg...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() After commit e3beca48a45b ("irqdomain/treewide: Keep firmware nodeunconditionally allocated"). For tear down scenario, fn is only freedafter fail to allocate ir_d...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: RDMA/siw: Fix refcounting leak in siw_create_qp() The atomic_inc() needs to be paired with an atomic_dec() on the errorpath.
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: RDMA/ucma: Protect mc during concurrent multicast leaves Partially revert the commit mentioned in the Fixes line to make sure thatallocation and erasing multicast struct are locked. BUG: KASAN: use-after-free in ucma_cleanup_multic...
7.8CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Avoid consuming a stale esr value when SError occur When any exception other than an IRQ occurs, the CPU updates the ESR_EL2register with the exception syndrome. An SError may also become pending,and will be synchronise...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix AIP early init panic An early failure in hfi1_ipoib_setup_rn() can lead to the following panic: BUG: unable to handle kernel NULL pointer dereference at 00000000000001b0PGD 0 P4D 0Oops: 0002 [#1] SMP NOPTIWorkqueue: ev...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: IB/hfi1: Fix panic with larger ipoib send_queue_size When the ipoib send_queue_size is increased from the default the followingpanic happens: RIP: 0010:hfi1_ipoib_drain_tx_ring+0x45/0xf0 [hfi1]Code: 31 e4 eb 0f 8b 85 c8 02 00 00 41...
5.5CVSS
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: dma-buf: heaps: Fix potential spectre v1 gadget It appears like nr could be a Spectre v1 gadget as it's supplied by auser and used as an array index. Prevent the contentsof kernel memory from being leaked to userspace via speculati...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mm/kmemleak: avoid scanning potential huge holes When using devm_request_free_mem_region() and devm_memremap_pages() toadd ZONE_DEVICE memory, if requested free mem region's end pfn werehuge(e.g., 0x400000000), the node_end_pfn() w...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix off by one in BIOS boundary checking Bounds checking when parsing init scripts embedded in the BIOS rejectaccess to the last byte. This causes driver initialization to fail onApple eMac's with GeForce 2 MX GPUs, le...
7.8CVSS
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free after failure to create a snapshot At ioctl.c:create_snapshot(), we allocate a pending snapshot structure andthen attach it to the transaction's list of pending snapshots. After thatwe call btrfs_commit_tr...
7.8CVSS
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock between quota disable and qgroup rescan worker Quota disable ioctl starts a transaction before waiting for the qgrouprescan worker completes. However, this wait can be infinite and resultsin deadlock because of ...
5.5CVSS
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix UAF of leds class devs at unbinding The LED class devices that are created by HD-audio codec drivers areregistered via devm_led_classdev_register() and associated with theHD-audio codec device. Unfortunately, it turn...
7.8CVSS
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() We don't currently validate that the values being set are within the rangewe advertised to userspace as being valid, do so and reject any valuesthat are out of range.
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ASoC: hdmi-codec: Fix OOB memory accesses Correct size of iec_status array by changing it to the size of statusarray of the struct snd_aes_iec958. This fixes out-of-bounds slabread accesses made by memcpy() of the hdmi-codec driver...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: selinux: fix double free of cond_list on error paths On error path from cond_read_list() and duplicate_policydb_cond_list()the cond_list_destroy() gets called a second time in caller functions,resulting in NULL pointer deref. Fix t...
7.8CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ovl: fix NULL pointer dereference in copy up warning This patch is fixing a NULL pointer dereference to get a recentlyintroduced warning message working.
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() While looking at one unrelated syzbot bug, I found the replay logicin __rtnl_newlink() to potentially trigger use-after-free. It is better to clear master_dev and...
7.8CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: amd-xgbe: Fix skb data length underflow There will be BUG_ON() triggered in include/linux/skbuff.h leading tointermittent kernel panic, when the skb length underflow is detected. Fix this by dropping the packet if such length ...
5.5CVSS
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Avoid field-overflowing memcpy() In preparation for FORTIFY_SOURCE performing compile-time and run-timefield bounds checking for memcpy(), memmove(), and memset(), avoidintentionally writing across neighboring fields. Us...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Use del_timer_sync in fw reset flow of halting poll Substitute del_timer() with del_timer_sync() in fw reset pollingdeactivation flow, in order to prevent a race condition which occurswhen del_timer() is called and timer ...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix handling of wrong devices during bond netevent Current implementation of bond netevent handler only check ifthe handled netdev is VF representor and it missing a check ifthe VF representor is on the same phys device ...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: block: Fix wrong offset in bio_truncate() bio_truncate() clears the buffer outside of last block of bdev, howevercurrent bio_truncate() is using the wrong offset of page. So it canreturn the uninitialized data. This happened when b...
7.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: bridge: vlan: fix memory leak in __allowed_ingress When using per-vlan state, if vlan snooping and stats are disabled,untagged or priority-tagged ingress frame will go to check pvid state.If the port state is forwarding and th...
7.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: invalid parameter check in dpu_setup_dspp_pcc The function performs a check on the "ctx" input parameter, however, itis used before the check. Initialize the "base" variable after the sanity check to avoid apossible NU...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: hwmon: (nct6775) Fix crash in clear_caseopen Pawe? Marciniak reports the following crash, observed when clearingthe chassis intrusion alarm. BUG: kernel NULL pointer dereference, address: 0000000000000028PGD 0 P4D 0Oops: 0000 [#1] ...
5.5CVSS
5.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/smc: Transitional solution for clcsock race issue We encountered a crash in smc_setsockopt() and it is caused byaccessing smc->clcsock after clcsock was released. BUG: kernel NULL pointer dereference, address: 00000000000000...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: powerpc/perf: Fix power_pmu_disable to call clear_pmi_irq_pending only if PMI is pending Running selftest with CONFIG_PPC_IRQ_SOFT_MASK_DEBUG enabled in kerneltriggered below warning: [ 172.851380] ------------[ cut here ]---------...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: block: fix memory leak in disk_register_independent_access_ranges kobject_init_and_add() takes reference even when it fails.According to the doc of kobject_init_and_add() If this function returns an error, kobject_put() must be cal...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: phylib: fix potential use-after-free Commit bafbdd527d56 ("phylib: Add device reset GPIO support") added callto phy_device_reset(phydev) after the put_device() call in phy_detach(). The comment before the put_device() call says tha...
8.4CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: powerpc64/bpf: Limit 'ldbrx' to processors compliant with ISA v2.06 Johan reported the below crash with test_bpf on ppc64 e5500: test_bpf: #296 ALU_END_FROM_LE 64: 0x0123456789abcdef -> 0x67452301 jited:1Oops: Exception in kerne...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable The function performs a check on the "phy" input parameter, however, itis used before the check. Initialize the "dev" variable after the sanity check to avoid a possibleNUL...
5.5CVSS
6.5AI Score
0.0004EPSS