Linux Kernel Security Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved: kunit/overflow: Fix UB in overflow_allocation_test The 'device_name' array doesn't exist out of the'overflow_allocation_test' function scope. However, it is being used asa driver name when calling 'kunit_driver_create' from'kunit_d...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: iommufd: Require drivers to supply the cache_invalidate_user ops If drivers don't do this then iommufd will oops invalidation ioctls withsomething like: Unable to handle kernel NULL pointer dereference at virtual address 0000000000...
6.4AI Score
In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: use IWL_FW_CHECK for link ID check The lookup function iwl_mvm_rcu_fw_link_id_to_link_conf() isnormally called with input from the firmware, so it should useIWL_FW_CHECK() instead of WARN_ON().
6.7AI Score
In the Linux kernel, the following vulnerability has been resolved: ELF: fix kernel.randomize_va_space double read ELF loader uses "randomize_va_space" twice. It is sysctl and can changeat any moment, so 2 loads could see 2 different values in theory withunpredictable consequences. Issue exactly on...
6.6AI Score
In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix firmware crash due to invalid peer nss Currently, if the access point receives an associationrequest containing an Extended HE Capabilities InformationElement with an invalid MCS-NSS, it triggers a firmwarecrash. ...
6.7AI Score
In the Linux kernel, the following vulnerability has been resolved: sched: sch_cake: fix bulk flow accounting logic for host fairness In sch_cake, we keep track of the count of active bulk flows per host,when running in dst/src host fairness mode, which is used as theround-robin weight when iterati...
6.7AI Score
In the Linux kernel, the following vulnerability has been resolved: rtmutex: Drop rt_mutex::wait_lock before scheduling rt_mutex_handle_deadlock() is called with rt_mutex::wait_lock held. In thegood case it returns with the lock held and in the deadlock case it emits awarning and goes into an endle...
6.7AI Score
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Acquire kvm->srcu when handling KVM_SET_VCPU_EVENTS Grab kvm->srcu when processing KVM_SET_VCPU_EVENTS, as KVM will forciblyleave nested VMX/SVM if SMM mode is being toggled, and leaving nested VMXreads guest memory...
6.6AI Score
In the Linux kernel, the following vulnerability has been resolved: net: microchip: vcap: Fix use-after-free error in kunit test This is a clear use-after-free error. We remove it, and rely on checkingthe return code of vcap_del_rule.
6.8AI Score
In the Linux kernel, the following vulnerability has been resolved: MIPS: cevt-r4k: Don't call get_c0_compare_int if timer irq is installed This avoids warning: [ 0.118053] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:283 Caused by get_c0_compare_int on secondary CPU...
6.4AI Score
In the Linux kernel, the following vulnerability has been resolved: net: hns3: void array out of bound when loop tnl_num When query reg inf of SSU, it loops tnl_num times. However, tnl_num comesfrom hardware and the length of array is a fixed value. To void array outof bound, make sure the loop tim...
6.7AI Score
In the Linux kernel, the following vulnerability has been resolved: ethtool: fail closed if we can't get max channel used in indirection tables Commit 0d1b7d6c9274 ("bnxt: fix crashes when reducing ring count withactive RSS contexts") proves that allowing indirection table to containchannels with o...
6.6AI Score
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Fix smatch static checker warning adev->gfx.imu.funcs could be NULL
6.6AI Score
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed_udc: validate endpoint index for ast udc We should verify the bound of the array to assure that hostmay not manipulate the index to point past endpoint array. Found by static analysis.
6.6AI Score
In the Linux kernel, the following vulnerability has been resolved: drm/panthor: Restrict high priorities on group_create We were allowing any users to create a high priority group without anypermission checks. As a result, this was allowing possible denial ofservice. We now only allow the DRM mast...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: userfaultfd: don't BUG_ON() if khugepaged yanks our page table Since khugepaged was changed to allow retracting page tables in filemappings without holding the mmap lock, these BUG_ON()s are wrong - getrid of them. We could also re...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: workqueue: Improve scalability of workqueue watchdog touch On a ~2000 CPU powerpc system, hard lockups have been observed in theworkqueue code when stop_machine runs (in this case due to CPU hotplug).This is due to lots of CPUs spi...
6.8AI Score
In the Linux kernel, the following vulnerability has been resolved: btrfs: clean up our handling of refs == 0 in snapshot delete In reada we BUG_ON(refs == 0), which could be unkind since we aren'tholding a lock on the extent leaf and thus could get a transientincorrect answer. In walk_down_proc we...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: btrfs: don't BUG_ON on ENOMEM from btrfs_lookup_extent_info() in walk_down_proc() We handle errors here properly, ENOMEM isn't fatal, return the error.
6.6AI Score
In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Handle mailbox timeouts in lpfc_get_sfp_info The MBX_TIMEOUT return code is not handled in lpfc_get_sfp_info and theroutine unconditionally frees submitted mailbox commands regardless ofreturn status. The issue is that ...
6.7AI Score
In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Remove SCSI host only if added If host tries to remove ufshcd driver from a UFS device it would cause akernel panic if ufshcd_async_scan fails during ufshcd_probe_hba beforeadding a SCSI host with scsi_add_host and...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: um: line: always fill *error_out in setup_one_line() The pointer isn't initialized by callers, but I haveencountered cases where it's still printed; initializeit in all possible cases in setup_one_line().
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: tracing/timerlat: Only clear timer if a kthread exists The timerlat tracer can use user space threads to check for osnoise andtimer latency. If the program using this is killed via a SIGTERM, thethreads are shutdown one at a time a...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: spi: rockchip: Resolve unbalanced runtime PM / system PM handling Commit e882575efc77 ("spi: rockchip: Suspend and resume the bus duringNOIRQ_SYSTEM_SLEEP_PM ops") stopped respecting runtime PM status andsimply disabled clocks unco...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: mm: vmalloc: ensure vmap_block is initialised before adding to queue Commit 8c61291fd850 ("mm: fix incorrect vbq reference inpurge_fragmented_block") extended the 'vmap_block' structure to contain a'cpu' field which is set at alloc...
6.7AI Score
In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel: Limit the period on Haswell Running the ltp test cve-2015-3290 concurrently reports the followingwarnings. perfevents: irq loop stuck!WARNING: CPU: 31 PID: 32438 at arch/x86/events/intel/core.c:3174intel_pmu_handle_...
6.2AI Score
In the Linux kernel, the following vulnerability has been resolved: ASoC: meson: axg-card: fix 'use-after-free' Buffer 'card->dai_link' is reallocated in 'meson_card_reallocate_links()',so move 'pad' pointer initialization after this function when memory isalready reallocated. Kasan bug report: ...
6.6AI Score
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid race between dcn35_set_drr() and dc_state_destruct() dc_state_destruct() nulls the resource context of the DC state. The pipecontext passed to dcn35_set_drr() is a member of this resource context. If dc_state...
6.3AI Score
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Avoid race between dcn10_set_drr() and dc_state_destruct() dc_state_destruct() nulls the resource context of the DC state. The pipecontext passed to dcn10_set_drr() is a member of this resource context. If dc_state...
6.3AI Score
In the Linux kernel, the following vulnerability has been resolved: dma-buf: heaps: Fix off-by-one in CMA heap fault handler Until VM_DONTEXPAND was added in commit 1c1914d6e8c6 ("dma-buf: heaps:Don't track CMA dma-buf pages under RssFile") it was possible to obtaina mapping larger than the buffer ...
6.8AI Score
In the Linux kernel, the following vulnerability has been resolved: spi: nxp-fspi: fix the KASAN report out-of-bounds bug Change the memcpy length to fix the out-of-bounds issue when writing thedata that is not 4 byte aligned to TX FIFO. To reproduce the issue, write 3 bytes data to NOR chip. dd if...
6.3AI Score
In the Linux kernel, the following vulnerability has been resolved: net: dpaa: Pad packets to ETH_ZLEN When sending packets under 60 bytes, up to three bytes of the bufferfollowing the data may be leaked. Avoid this by extending all packets toETH_ZLEN, ensuring nothing is leaked in the padding. Thi...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_socket: fix sk refcount leaks We must put 'sk' reference before returning.
6.6AI Score
In the Linux kernel, the following vulnerability has been resolved: net: phy: dp83822: Fix NULL pointer dereference on DP83825 devices The probe() function is only used for DP83822 and DP83826 PHY,leaving the private data pointer uninitialized for the DP83825 modelswhich causes a NULL pointer deref...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix bridge mode operations when there are no VFs Currently, trying to set the bridge mode attribute when numvfs=0 leads to acrash: bridge link set dev eth2 hwmode vepa [ 168.967392] BUG: kernel NULL pointer dereference, a...
6.4AI Score
In the Linux kernel, the following vulnerability has been resolved: mptcp: pm: Fix uaf in __timer_delete_sync There are two paths to access mptcp_pm_del_add_timer, result in a racecondition: CPU1 CPU2 ==== ==== net_rx_action napi_poll netlink_sendmsg __napi_poll netlink_unicast process_backlog netl...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: platform/x86: panasonic-laptop: Fix SINF array out of bounds accesses The panasonic laptop code in various places uses the SINF array with indexvalues of 0 - SINF_CUR_BRIGHT(0x0d) without checking that the SINF arrayis big enough. ...
6.7AI Score
In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix NULL pointer access in mt7921_ipv6_addr_change When disabling wifi mt7921_ipv6_addr_change() is called as a notifier.At this point mvif->phy is already NULL so we cannot use it here.
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: usbnet: ipheth: do not stop RX on failing RX callback RX callbacks can fail for multiple reasons: Payload too short Payload formatted incorrecly (e.g. bad NCM framing) Lack of memory None of these should cause the driver to seize u...
6.6AI Score
In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: soc-acpi-intel-mtl-match: add missing empty item There is no links_num in struct snd_soc_acpi_mach {}, and we test!link->num_adr as a condition to end the loop in hda_sdw_machine_select().So an empty item in struct ...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: ASoC: Intel: soc-acpi-intel-lnl-match: add missing empty item There is no links_num in struct snd_soc_acpi_mach {}, and we test!link->num_adr as a condition to end the loop in hda_sdw_machine_select().So an empty item in struct ...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: x86/hyperv: fix kexec crash due to VP assist page corruption commit 9636be85cc5b ("x86/hyperv: Fix hyperv_pcpu_input_arg handling whenCPUs go online/offline") introduces a new cpuhp state for hypervinitialization. cpuhp_setup_state...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: fou: fix initialization of grc The grc must be initialize first. There can be a condition where iffou is NULL, goto out will be executed and grc would be useduninitialized.
6.6AI Score
In the Linux kernel, the following vulnerability has been resolved: drm/xe/client: add missing bo locking in show_meminfo() bo_meminfo() wants to inspect bo state like tt and the ttm resource,however this state can change at any point leading to stuff like NPD andUAF, if the bo lock is not held. Gr...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: drm/xe/client: fix deadlock in show_meminfo() There is a real deadlock as well as sleeping in atomic() bug in here, ifthe bo put happens to be the last ref, since bo destruction wants tograb the same spinlock and sleeping locks. Fi...
6.5AI Score
In the Linux kernel, the following vulnerability has been resolved: firmware: qcom: uefisecapp: Fix deadlock in qcuefi_acquire() If the __qcuefi pointer is not set, then in the original code, we wouldhold onto the lock. That means that if we tried to set it later, thenit would cause a deadlock. Dro...
6.4AI Score