Linux Kernel Security Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved: net: arcnet: com20020: Fix null-ptr-deref in com20020pci_probe() During driver initialization, the pointer of card info, i.e. thevariable 'ci' is required. However, the definition of'com20020pci_id_table' reveals that this field is...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix connection leak There's a potential leak issue under following execution sequence : smc_release smc_connect_workif (sk->sk_state == SMC_INIT)send_clc_confirimtcp_abort();...sk.sk_state = SMC_ACTIVEsmc_close_activesw...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: ipv6: ensure we call ipv6_mc_down() at most once There are two reasons for addrconf_notify() to be called with NETDEV_DOWN:either the network device is actually going down, or IPv6 was disabledon the interface. If either of th...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_queue: fix possible use-after-free Eric Dumazet says:The sock_hold() side seems suspect, because there is no guaranteethat sk_refcnt is not already 0. On failure, we cannot queue the packet and need to indicate anerro...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: fix use-after-free in __nf_register_net_hook() We must not dereference @new_hooks after nf_hook_mutex has been released,because other threads might have freed our allocated hooks already. BUG: KASAN: use-after-free in nf...
7.8CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: blktrace: fix use after free for struct blk_trace When tracing the whole disk, 'dropped' and 'msg' will be createdunder 'q->debugfs_dir' and 'bt->dir' is NULL, thus blk_trace_free()won't remove those files. What's worse, the ...
7.8CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: xen/netfront: destroy queues before real_num_tx_queues is zeroed xennet_destroy_queues() relies on info->netdev->real_num_tx_queues todelete queues. Since d7dac083414eb5bb99a6d2ed53dc2c1b405224e5("net-sysfs: update the queue ...
5.5CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: thermal: core: Fix TZ_GET_TRIP NULL pointer dereference Do not call get_trip_hyst() from thermal_genl_cmd_tz_get_trip() ifthe thermal zone does not define one.
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix double list_add when enabling VMD in scalable mode When enabling VMD and IOMMU scalable mode, the following kernel paniccall trace/kernel log is shown in Eagle Stream platform (Sapphire RapidsCPU) during booting: pc...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min While the $val/$val2 values passed in from userspace are always >= 0integers, the limits of the control can be signed integers and the $mincan be non-zero and less th...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: iwlwifi: mvm: check debugfs_dir ptr before use When "debugfs=off" is used on the kernel command line, iwiwifi'smvm module uses an invalid/unchecked debugfs_dir pointer and causesa BUG: BUG: kernel NULL pointer dereference, address:...
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: cifs: fix double free race when mount fails in cifs_get_root() When cifs_get_root() fails during cifs_smb3_do_mount() we calldeactivate_locked_super() which eventually will call delayed_free() whichwill free the context.In this sit...
7.8CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: get rid of warning on transaction commit when using flushoncommit When using the flushoncommit mount option, during almost every transactioncommit we trigger a warning from __writeback_inodes_sb_nr(): $ cat fs/fs-writeback.c...
5.5CVSS
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Fix fault in reweight_entity Syzbot found a GPF in reweight_entity. This has been bisected tocommit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access an invalidsched_task_group") There is a race between sched_post_fo...
4.7CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: riscv: fix oops caused by irqsoff latency tracer The trace_hardirqs_{on,off}() require the caller to setup frame pointerproperly. This because these two functions use macro 'CALLER_ADDR1' (aka.__builtin_return_address(1)) to acquir...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: prevent copying too big compressed lzo segment Compressed length can be corrupted to be a lot larger than memorywe have allocated for buffer.This will cause memcpy in copy_compressed_segment to write outsideof allocated memo...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: thermal: int340x: fix memory leak in int3400_notify() It is easy to hit the below memory leaks in my TigerLake platform: unreferenced object 0xffff927c8b91dbc0 (size 32):comm "kworker/0:2", pid 112, jiffies 4294893323 (age 83.604s)...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: RDMA/cma: Do not change route.addr.src_addr outside state checks If the state is not idle then resolve_prepare_src() should immediatelyfail and no change to global state should happen. However, itunconditionally overwrites the src_...
7.8CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: rndis: add spinlock for rndis response list There's no lock for rndis response list. It could cause list corruptionif there're two different list_add at the same time like below.It's better to add in rndis_add_response...
7.8CVSS
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: iio: adc: tsc2046: fix memory corruption by preventing array overflow On one side we have indio_dev->num_channels includes all physical channels +timestamp channel. On other side we have an array allocated only forphysical chann...
7.8CVSS
6.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: iio: adc: men_z188_adc: Fix a resource leak in an error handling path If iio_device_register() fails, a previous ioremap() is left unbalanced. Update the error handling path and add the missing iounmap() call, asalready done in the...
5.5CVSS
6.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix crash due to out of bounds access into reg2btf_ids. When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") addedkfunc support, it defined reg2btf_ids as a cheap way to translate the verifierreg type ...
5.5CVSS
6.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: RDMA/ib_srp: Fix a deadlock Remove the flush_workqueue(system_long_wq) call since flushingsystem_long_wq is deadlock-prone and since that call is redundant with apreceding cancel_work_sync()
5.5CVSS
7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: configfs: fix a race in configfs_{,un}register_subsystem() When configfs_register_subsystem() or configfs_unregister_subsystem()is executing link_group() or unlink_group(),it is possible that two processes add or delete list concur...
4.7CVSS
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: DR, Fix slab-out-of-bounds in mlx5_cmd_dr_create_fte When adding a rule with 32 destinations, we hit the following out-of-bandaccess issue: BUG: KASAN: slab-out-of-bounds in mlx5_cmd_dr_create_fte+0x18ee/0x1e70 This patch...
5.5CVSS
7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memory leak during stateful obj update stateful objects can be updated from the control plane.The transaction logic allocates a temporary object for this purpose. The ->init function was called for this...
5.5CVSS
7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac() ida_simple_get() returns an id between min (0) and max (NFP_MAX_MAC_INDEX)inclusive.So NFP_MAX_MAC_INDEX (0xff) is a valid id. In order for the error handling path to...
5.5CVSS
6.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unregister flowtable hooks on netns exit Unregister flowtable hooks before they are releases vianf_tables_flowtable_destroy() otherwise hook core reports UAF. BUG: KASAN: use-after-free in nf_hook_entries_grow...
5.5CVSS
7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: io_uring: add a schedule point in io_add_buffers() Looping ~65535 times doing kmalloc() calls can trigger soft lockups,especially with DEBUG features (like KASAN). [ 253.536212] watchdog: BUG: soft lockup - CPU#64 stuck for 26s! [b...
3.3CVSS
7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: CDC-NCM: avoid overflow in sanity checking A broken device may give an extreme offset like 0xFFF0and a reasonable length for a fragment. In the sanitycheck as formulated now, this will create an integeroverflow, defeating the sanit...
5.5CVSS
7.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Add schedule points in batch ops syzbot reported various soft lockups caused by bpf batch operations. INFO: task kworker/1:1:27 blocked for more than 140 seconds.INFO: task hung in rcu_barrier Nothing prevents batch ops to pro...
3.3CVSS
6.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix crash due to incorrect copy_map_value When both bpf_spin_lock and bpf_timer are present in a BPF map value,copy_map_value needs to skirt both objects when copying a value into andout of the map. However, the current code d...
5.5CVSS
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ice: fix concurrent reset and removal of VFs Commit c503e63200c6 ("ice: Stop processing VF messages during teardown")introduced a driver state flag, ICE_VF_DEINIT_IN_PROGRESS, which isintended to prevent some issues with concurrent...
4.7CVSS
7.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: hwmon: Handle failure to register sensor with thermal zone correctly If an attempt is made to a sensor with a thermal zone and it fails,the call to devm_thermal_zone_of_sensor_register() may return -ENODEV.This may result in crashe...
5.5CVSS
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: KVM: x86/mmu: make apf token non-zero to fix bug In current async pagefault logic, when a page is ready, KVM relies onkvm_arch_can_dequeue_async_page_present() to determine whether to delivera READY event to the Guest. This functio...
7.8CVSS
6.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: sched: Fix yet more sched_fork() races Where commit 4ef0c5c6b5ba ("kernel/sched: Fix sched_fork() access aninvalid sched_task_group") fixed a fork race vs cgroup, it opened up arace vs syscalls by not placing the task on the runque...
5.5CVSS
6.5AI Score
0.0004EPSS
A use-after-free flaw was found in the Linux kernel’s nouveau driver in how a user triggers a memory overflow that causes the nvkm_vma_tail function to fail. This flaw allows a local user to crash or potentially escalate their privileges on the system.
7.8CVSS
7.6AI Score
0.0004EPSS
The current implementation of the prctl syscall does not issue an IBPB immediately during the syscall. The ib_prctl_set function updates the Thread Information Flags (TIFs) for the task and updates the SPEC_CTRL MSR on the function __speculation_ctrl_update, but the IBPB is only issued on the next ...
7.5CVSS
7.4AI Score
0.002EPSS
A NULL pointer dereference vulnerability in the Linux kernel NVMe functionality, in nvmet_setup_auth(), allows an attacker to perform a Pre-Auth Denial of Service (DoS) attack on a remote machine. Affected versions v6.0-rc1 to v6.0-rc3, fixed in v6.0-rc4.
7.5CVSS
7AI Score
0.002EPSS
A deadlock flaw was found in the Linux kernel’s BPF subsystem. This flaw allows a local user to potentially crash the system.
5.5CVSS
5.7AI Score
0.0004EPSS
A buffer overflow vulnerability was found in the Netfilter subsystem in the Linux Kernel. This issue could allow the leakage of both stack and heap addresses, and potentially allow Local Privilege Escalation to the root user via arbitrary code execution.
7.8CVSS
8.1AI Score
0.0004EPSS
A bug affects the Linux kernel’s ksmbd NTLMv2 authentication and is known to crash the OS immediately in Linux-based systems.
7.5CVSS
7.2AI Score
0.005EPSS
There is a logic error in io_uring's implementation which can be used to trigger a use-after-free vulnerability leading to privilege escalation. In the io_prep_async_work function the assumption that the last io_grab_identity call cannot return false is not true, and in this case the function will ...
7.8CVSS
7.4AI Score
0.0004EPSS
A use after free vulnerability exists in the ALSA PCM package in the Linux Kernel. SNDRV_CTL_IOCTL_ELEM_{READ|WRITE}32 is missing locks that can be used in a use-after-free that can result in a priviledge escalation to gain ring0 access from the system user. We recommend upgrading past commit 56b88...
A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount. This uid mapping bug allows a local user to escalate ...
7.8CVSS
7.4AI Score
0.0004EPSS
A NULL pointer dereference flaw was found in rawv6_push_pending_frames in net/ipv6/raw.c in the network subcomponent in the Linux kernel. This flaw causes the system to crash.
5.5CVSS
6.3AI Score
0.0004EPSS
A speculative pointer dereference problem exists in the Linux Kernel on the do_prlimit() function. The resource argument value is controlled and is used in pointer arithmetic for the 'rlim' variable and can be used to leak the contents. We recommend upgrading past version 6.1.8 or commit 7397906057...
5.3CVSS
6.1AI Score
0.0004EPSS
Copy_from_user on 64-bit versions of the Linux kernel does not implement the __uaccess_begin_nospec allowing a user to bypass the "access_ok" check and pass a kernel pointer to copy_from_user(). This would allow an attacker to leak information. We recommend upgrading beyond commit 74e19ef0ff8061ef5...
6.5CVSS
6.2AI Score
0.0004EPSS
There is a use-after-free vulnerability in the Linux Kernel which can be exploited to achieve local privilege escalation. To reach the vulnerability kernel configuration flag CONFIG_TLS or CONFIG_XFRM_ESPINTCP has to be configured, but the operation does not require any privilege. There is a use-af...
7.8CVSS
7.4AI Score
0.0004EPSS
A use-after-free flaw was found in io_uring/poll.c in io_poll_check_events in the io_uring subcomponent in the Linux Kernel due to a race condition of poll_refs. This flaw may cause a NULL pointer dereference.
4.7CVSS
4.2AI Score
0.0004EPSS