Linux Kernel Security Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix re-attachment branch in bpf_tracing_prog_attach The following case can cause a crash due to missing attach_btf: load rawtp program load fentry program with rawtp as target_fd create tracing link for fentry program with tar...
5.5CVSS
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix UAF issue in ksmbd_tcp_new_connection() The race is between the handling of a new TCP connection andits disconnection. It leads to UAF on struct tcp_transport inksmbd_tcp_new_connection() function.
7.8CVSS
7.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Fix block process call transactions According to the Intel datasheets, software must reset the blockbuffer index twice for block process call transactions: once beforewriting the outgoing data to the buffer, and once aga...
7.1CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate mech token in session setup If client send invalid mech token in session setup request, ksmbdvalidate and make the error if it is invalid.
7.1CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix NULL pointer dereference in error path When calling mlxsw_sp_acl_tcam_region_destroy() from an error path afterfailing to attach the region to an ACL group, we hit a NULL pointerdereference upon 'regio...
5.5CVSS
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events After the blamed commit, we started doing this dereference for everyNETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system. static inline st...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: qualcomm: rmnet: fix global oob in rmnet_policy The variable rmnet_link_ops assign a bigger maxtype which leads to aglobal out-of-bounds read when parsing the netlink attributes. See bugtrace below: ===========================...
7.1CVSS
5.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: vgic-its: Avoid potential UAF in LPI translation cache There is a potential UAF scenario in the case of an LPI translationcache hit racing with an operation that invalidates the cache, suchas a DISCARD ITS command. The ...
7.8CVSS
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: pwm: Fix out-of-bounds access in of_pwm_single_xlate() With args->args_count == 2 args->args[2] is not defined. Actually theflags are contained in args->args[1].
7.8CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: phy: ti: phy-omap-usb2: Fix NULL pointer dereference for SRP If the external phy working together with phy-omap-usb2 does not implementsend_srp(), we may still attempt to call it. This can happen on an idleEthernet gadget triggerin...
5.5CVSS
5.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ext4: regenerate buddy after block freeing failed if under fc replay This mostly reverts commit 6bd97bf273bd ("ext4: remove redundantmb_regenerate_buddy()") and reintroduces mb_regenerate_buddy(). Based oncode in mb_free_blocks(), ...
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: sched/membarrier: reduce the ability to hammer on sys_membarrier On some systems, sys_membarrier can be very expensive, causing overallslowdowns for everything. So put a lock on the path in order toserialize the accesses to prevent...
5.5CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Stop relying on userspace for info to fault in xsave buffer Before this change, the expected size of the user space buffer wastaken from fx_sw->xstate_size. fx_sw->xstate_size can be changedfrom user-space, so it is ...
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: Revert "kobject: Remove redundant checks for whether ktype is NULL" This reverts commit 1b28cb81dab7c1eedc6034206f4e8d644046ad31. It is reported to cause problems, so revert it for now until the rootcause can be found.
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Fix deadlock when enabling ASPM A last minute revert in 6.7-final introduced a potential deadlock whenenabling ASPM during probe of Qualcomm PCIe controllers as reported bylockdep: ========================================...
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: binder: signal epoll threads of self-work In (e)poll mode, threads often depend on I/O events to determine whendata is ready for consumption. Within binder, a thread may initiate acommand via BINDER_WRITE_READ without a read buffer...
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/bridge: sii902x: Fix probing race issue A null pointer dereference crash has been observed rarely on TIplatforms using sii9022 bridge: [ 53.271356] sii902x_get_edid+0x34/0x70 [sii902x][ 53.276066] sii902x_bridge_get_edid+0x14/0...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix global oob in ksmbd_nl_policy Similar to a reported issue (check the commit b33fb5b801c6 ("net:qualcomm: rmnet: fix global oob in rmnet_policy"), my local fuzzer findsanother global out-of-bounds read for policy ksmbd_nl...
5.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix a memory corruption iwl_fw_ini_trigger_tlv::data is a pointer to a __le32, which means thatif we copy to iwl_fw_ini_trigger_tlv::data + offset while offset is inbytes, we'll write past the buffer.
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: xsk: fix usage of multi-buffer BPF helpers for ZC XDP Currently when packet is shrunk via bpf_xdp_adjust_tail() and memorytype is set to MEM_TYPE_XSK_BUFF_POOL, null ptr dereference happens: [1136314.192256] BUG: kernel NULL pointe...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfs, fscache: Prevent Oops in fscache_put_cache() This function dereferences "cache" and then checks if it'sIS_ERR_OR_NULL(). Check first, then dereference.
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tcp: make sure init the accept_queue's spinlocks once When I run syz's reproduction C program locally, it causes the followingissue:pvqspinlock: lock 0xffff9d181cd5c660 has corrupted value 0x0!WARNING: CPU: 19 PID: 21160 at __pv_qu...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix illegal rmb_desc access in SMC-D connection dump A crash was found when dumping SMC-D connections. It can be reproducedby following steps: run nginx/wrk test:smc_run nginxsmc_run wrk -t 16 -c 1000 -d <duration> -...
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: scrub: avoid use-after-free when chunk length is not 64K aligned [BUG]There is a bug report that, on a ext4-converted btrfs, scrub leads tovarious problems, including: "unable to find chunk map" errorsBTRFS info (device vdb)...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: fs/proc/task_mmu: move mmu notification mechanism inside mm lock Move mmu notification mechanism inside mm lock to prevent race conditionin other components which depend on it. The notifier will invalidatememory range. Depending up...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: arm64/sme: Always exit sme_alloc() early with existing storage When sme_alloc() is called with existing storage and we are not flushing wewill always allocate new storage, both leaking the existing storage andcorrupting the state. ...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: riscv: Fix module loading free order Reverse order of kfree calls to resolve use-after-free error.
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: s390/vfio-ap: always filter entire AP matrix The vfio_ap_mdev_filter_matrix function is called whenever a new adapter ordomain is assigned to the mdev. The purpose of the function is to updatethe guest's AP configuration by filteri...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mm: huge_memory: don't force huge page alignment on 32 bit commit efa7df3e3bb5 ("mm: align larger anonymous mappings on THPboundaries") caused two issues [1] [2] reported on 32 bit system or compatuserspace. It doesn't make too muc...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tomoyo: fix UAF write bug in tomoyo_write_control() Since tomoyo_write_control() updates head->write_buf when write()of long lines is requested, we need to fetch head->write_buf afterhead->io_sem is held. Otherwise, concur...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: pds_core: Prevent race issues involving the adminq There are multiple paths that can result in using the pdsc'sadminq. [1] pdsc_adminq_isr and the resulting work from queue_work(),i.e. pdsc_work_thread()->pdsc_process_adminq() [...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: llc: call sock_orphan() at release time syzbot reported an interesting trace [1] caused by a stale sk->sk_wqpointer in a closed llc socket. In commit ff7b11aa481f ("net: socket: set sock->sk to NULL aftercalling proto_ops::re...
5.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ipmr: fix kernel panic when forwarding mcast packets The stacktrace was:[ 86.305548] BUG: kernel NULL pointer dereference, address: 0000000000000092[ 86.306815] #PF: supervisor read access in kernel mode[ 86.307717] #PF: error_code...
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: scsi: core: Move scsi_host_busy() out of host lock for waking up EH handler Inside scsi_eh_wakeup(), scsi_host_busy() is called & checked with hostlock every time for deciding if error handler kthread needs to be waken up. This can...
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nfsd: fix RELEASE_LOCKOWNER The test on so_count in nfsd4_release_lockowner() is nonsense andharmful. Revert to using check_for_locks(), changing that to not sleep. First: harmful.As is documented in the kdoc comment for nfsd4_rele...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mm: cachestat: fix folio read-after-free in cache walk In cachestat, we access the folio from the page cache's xarray to computeits page offset, and check for its dirty and writeback flags. However, wedo not hold a reference to the...
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work idev->mc_ifc_count can be written over without proper locking. Originally found by syzbot [1], fix this issue by encapsulating callsto mld_ifc_stop_work() (and mld_gq_sto...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: block: Fix iterating over an empty bio with bio_for_each_folio_all If the bio contains no data, bio_first_folio() calls page_folio() on aNULL pointer and oopses. Move the test that we've reached the end ofthe bio from bio_next_foli...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytesto skb->head. Currently we migh...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: fix removing a namespace with conflicting altnames Mark reports a BUG() when a net namespace is removed. kernel BUG at net/core/dev.c:11520! Physical interfaces moved outside of init_net get "refunded"to init_net when that nam...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2(0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7...
5.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: llc: make llc_ui_sendmsg() more robust against bonding changes syzbot was able to trick llc_ui_sendmsg(), allocating an skb with noheadroom, but subsequently trying to push 14 bytes of Ethernet header [1] Like some others, llc_ui_s...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: rely on mac80211 debugfs handling for vif mac80211 started to delete debugfs entries in certain cases, causing aath11k to crash when it tried to delete the entries later. Fix this byrelying on mac80211 to delete the e...
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nbd: always initialize struct msghdr completely syzbot complains that msg->msg_get_inq value can be uninitialized [1] struct msghdr got many new fields recently, we should always makesure their values is zero by default. [1]BUG:...
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity checks to rx zerocopy TCP rx zerocopy intent is to map pages initially allocatedfrom NIC drivers, not pages owned by a fs. This patch adds to can_map_frag() these additional checks: Page must not be a compound one. ...
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: make sure to pull inner header in __ip6_tnl_rcv() syzbot found __ip6_tnl_rcv() could access unitiliazed data [1]. Call pskb_inet_may_pull() to fix this, and initialize ipv6hvariable after this call as it can change skb-...
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: disallow anonymous set with timeout flag Anonymous sets are never used with timeout from userspace, reject this.Exception to this rule is NFT_SET_EVAL to ensure legacy meters still work.
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout While the rhashtable set gc runs asynchronously, a race allows it tocollect elements from anonymous sets with timeouts while it is beingreleased from ...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't abort filesystem when attempting to snapshot deleted subvolume If the source file descriptor to the snapshot ioctl refers to a deletedsubvolume, we get the following abort: BTRFS: Transaction aborted (error -2)WARNING:...
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tracing: Ensure visibility when inserting an element into tracing_map Running the following two commands in parallel on a multi-processorAArch64 machine can sporadically produce an unexpected warning aboutduplicate histogram entrie...
6.2AI Score
0.0004EPSS