Linux Kernel Security Vulnerabilities
In the Linux kernel, the following vulnerability has been resolved: x86/xen: Drop USERGS_SYSRET64 paravirt call commit afd30525a659ac0ae0904f0cb4a2ca75522c3123 upstream. USERGS_SYSRET64 is used to return from a syscall via SYSRET, buta Xen PV guest will nevertheless use the IRET hypercall, as there...
8.8CVSS
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: spi: spi-zynq-qspi: Fix a NULL pointer dereference in zynq_qspi_exec_mem_op() In zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(),which could lead to a NULL pointer dereference on failure ofkzalloc(). Fix this bug by...
5.5CVSS
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tcp: add sanity tests to TCP_QUEUE_SEQ Qingyu Li reported a syzkaller bug where the reprochanges RCV SEQ after restoring data in the receive queue. mprotect(0x4aa000, 12288, PROT_READ) = 0mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVA...
5.5CVSS
6.4AI Score
0.0005EPSS
A use-after-free exists in drivers/tee/tee_shm.c in the TEE subsystem in the Linux kernel through 5.15.11. This occurs because of a race condition in tee_shm_get_from_id during an attempt to free a shared memory object.
7CVSS
7.3AI Score
0.001EPSS
In gc_data_segment in fs/f2fs/gc.c in the Linux kernel before 5.16.3, special files are not considered, leading to a move_data_page NULL pointer dereference.
5.5CVSS
5.9AI Score
0.001EPSS
pep_sock_accept in net/phonet/pep.c in the Linux kernel through 5.15.8 has a refcount leak.
5.5CVSS
6.5AI Score
0.0005EPSS
The check_alu_op() function in kernel/bpf/verifier.c in the Linux kernel through v5.16-rc5 did not properly update bounds while handling the mov32 instruction, which allows local users to obtain potentially sensitive address information, aka a "pointer leak."
5.5CVSS
5.6AI Score
0.0004EPSS
In __f2fs_setxattr in fs/f2fs/xattr.c in the Linux kernel through 5.15.11, there is an out-of-bounds memory access when an inode has an invalid last xattr entry.
7.8CVSS
7.2AI Score
0.001EPSS
An issue was discovered in the Linux kernel before 5.15.11. There is a memory leak in the __rds_conn_create() function in net/rds/connection.c in a certain combination of circumstances.
5.5CVSS
6.1AI Score
0.0004EPSS
In the IPv6 implementation in the Linux kernel before 5.13.3, net/ipv6/output_core.c has an information leak because of certain use of a hash table which, although big, doesn't properly consider that IPv6-based attackers can typically choose among many IPv6 source addresses.
7.5CVSS
7.2AI Score
0.001EPSS
In the IPv4 implementation in the Linux kernel before 5.12.4, net/ipv4/route.c has an information leak because the hash table is very small.
3.5CVSS
5.5AI Score
0.0005EPSS
In the Linux kernel before 5.15.3, fs/quota/quota_tree.c does not validate the block number in the quota tree (on disk). This can, for example, lead to a kernel/locking/rwsem.c use-after-free if there is a corrupted quota file.
5.5CVSS
5.8AI Score
0.001EPSS
nf_tables_newset in net/netfilter/nf_tables_api.c in the Linux kernel before 5.12.13 allows local users to cause a denial of service (NULL pointer dereference and general protection fault) because of the missing initialization for nft_set_elem_expr_alloc. A local user can set a netfilter table expr...
5.5CVSS
5.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: hso: fix null-ptr-deref during tty device unregistration Multiple ttys try to claim the same the minor number causing a doubleunregistration of the same device. The first unregistration succeedsbut the next one results in a nu...
5.5CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: hso: fix NULL-deref on disconnect regression Commit 8a12f8836145 ("net: hso: fix null-ptr-deref during tty deviceunregistration") fixed the racy minor allocation reported by syzbot, butintroduced an unconditional NULL-pointer ...
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: HID: usbhid: fix info leak in hid_submit_ctrl In hid_submit_ctrl(), the way of calculating the report length doesn'ttake into account that report->size can be zero. When running thesyzkaller reproducer, a report of size 0 causes...
5.5CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Use correct permission flag for mixed signed bounds arithmetic We forbid adding unknown scalars with mixed signed bounds due to thespectre v1 masking mitigation. Hence this also needs bypass_spec_v1flag instead of allow_ptr_le...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ARM: footbridge: fix PCI interrupt mapping Since commit 30fdfb929e82 ("PCI: Add a call to pci_assign_irq() inpci_device_probe()"), the PCI code will call the IRQ mapping functionwhenever a PCI driver is probed. If these are marked ...
5.5CVSS
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ARM: 9063/1: mm: reduce maximum number of CPUs if DEBUG_KMAP_LOCAL is enabled The debugging code for kmap_local() doubles the number of per-CPU fixmapslots allocated for kmap_local(), in order to use half of them as guardregions. T...
5.5CVSS
5.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ch_ktls: Fix kernel panic Taking page refcount is not ideal and causes kernel panicsometimes. It's better to take tx_ctx lock for the completeskb transmit, to avoid page cleanup if ACK received in middle.
5.5CVSS
5.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: Make tcp_allowed_congestion_control readonly in non-init netns Currently, tcp_allowed_congestion_control is global and writable;writing to it in any net namespace will leak into all other netnamespaces. tcp_available_congestio...
5.5CVSS
5.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: clone set element expression template memcpy() breaks when using connlimit in set elements. Usenft_expr_clone() to initialize the connlimit expression list, otherwiseconnlimit garbage collector crashes when wal...
5.5CVSS
5.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ixgbe: fix unbalanced device enable/disable in suspend/resume pci_disable_device() called in __ixgbe_shutdown() decreasesdev->enable_cnt by 1. pci_enable_device_mem() which increasesdev->enable_cnt by 1, was removed from ixgb...
5.5CVSS
5.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_limit: avoid possible divide error in nft_limit_init div_u64() divides u64 by u32. nft_limit_init() wants to divide u64 by u64, use the appropriatemath function (div64_u64) divide error: 0000 [#1] PREEMPT SMP KASANCP...
5.5CVSS
5.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ixgbe: Fix NULL pointer dereference in ethtool loopback test The ixgbe driver currently generates a NULL pointer dereference whenperforming the ethtool loopback test. This is due to the fact that thereisn't a q_vector associated wi...
5.5CVSS
5.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq cleanup of WQCFG registers A pre-release silicon erratum workaround where wq reset does not clearWQCFG registers was leaked into upstream code. Use wq reset commandinstead of blasting the MMIO region. This a...
5.5CVSS
5.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: clear MSIX permission entry on shutdown Add disabling/clearing of MSIX permission entries on device shutdown tomirror the enabling of the MSIX entries on probe. Current code left theMSIX enabled and the pasid entri...
5.5CVSS
5.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix wq size store permission state WQ size can only be changed when the device is disabled. Current codeallows change when device is enabled but wq is disabled. Change the checkto detect device state.
5.5CVSS
5.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback Current code blindly writes over the SWERR and the OVERFLOW bits. Writeback the bits actually read instead so the driver avoids clobbering theOVERFLOW bit that come...
5.5CVSS
5.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: locking/qrwlock: Fix ordering in queued_write_lock_slowpath() While this code is executed with the wait_lock held, a reader canacquire the lock without holding wait_lock. The writer side loopschecking the value with the atomic_cond...
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix TPM reservation for seal/unseal The original patch 8c657a0590de ("KEYS: trusted: Reserve TPM for sealand unseal operations") was correct on the mailing list: https://lore.kernel.org/linux-integrity/20210128235621...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: fs/mount_setattr: always cleanup mount_kattr Make sure that finish_mount_kattr() is called after mount_kattr wassuccesfully built in both the success and failure case to preventleaking any references we took when we built it. We re...
5.5CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: NFC: st21nfca: Fix memory leak in device probe and remove 'phy->pending_skb' is alloced when device probe, but forgot to freein the error handling path and remove path, this cause memory leakas follows: unreferenced object 0xfff...
5.5CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/smc: fix kernel panic caused by race of smc_sock A crash occurs when smc_cdc_tx_handler() tries to access smc_sockbut smc_release() has already freed it. [ 4570.695099] BUG: unable to handle page fault for address: 000000002eae...
4.7CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: intel-sdw-acpi: harden detection of controller The existing code currently sets a pointer to an ACPI handle beforechecking that it's actually a SoundWire controller. This can lead toissues where the graph walk continues ...
5.5CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert After commit 5b78ed24e8ec ("mm/pagemap: add mmap_assert_locked()annotations to find_vma*()"), the call to get_user_pages() will triggerthe mmap assert. static...
5.5CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: parisc: Clear stale IIR value on instruction access rights trap When a trap 7 (Instruction access rights) occurs, this means the CPUcouldn't execute an instruction due to missing execute permissions onthe memory region. In this cas...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: sctp: use call_rcu to free endpoint This patch is to delay the endpoint free by calling call_rcu() to fixanother use-after-free issue in sctp_sock_dump(): BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20Call Trace:__lock_...
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix list_head check warning This is caused by uninitialization of list_head. BUG: KASAN: use-after-free in __list_del_entry_valid+0x34/0xe4 Call trace:dump_backtrace+0x0/0x298show_stack+0x24/0x34dump_stack+0x130/0x1a8pri...
5.5CVSS
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Wrap the tx reporter dump callback to extract the sq Function mlx5e_tx_reporter_dump_sq() casts its void * argument to structmlx5e_txqsq *, but in TX-timeout-recovery flow the argument is actuallyof type struct mlx5e_tx_...
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: Input: appletouch - initialize work before device registration Syzbot has reported warning in __flush_work(). This warning is caused bywork->func == NULL, which means missing work initialization. This may happen, since input_dev...
5.5CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. ffs_data_clear is indirectly called from both ffs_fs_kill_sb andffs_ep0_release, so it ends up being called twice when userland closes ep0and then unmounts f_fs.If userland pr...
5.5CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: i2c: validate user data in compat ioctl Wrong user data may cause warning in i2c_transfer(), ex: zero msgs.Userspace should not be able to trigger warnings, so this patch addsvalidation checks for user data in compact ioctl to prev...
3.3CVSS
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: binder: fix async_free_space accounting for empty parcels In 4.13, commit 74310e06be4d ("android: binder: Move buffer out of area shared with user space")fixed a kernel structure visibility issue. As part of that patch,sizeof(void ...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: fix use-after-free in tw_timer_handler A real world panic issue was found as follow in Linux 5.4. BUG: unable to handle page fault for address: ffffde49a863de28 PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0...
7.8CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mm/damon/dbgfs: fix 'struct pid' leaks in 'dbgfs_target_ids_write()' DAMON debugfs interface increases the reference counts of 'struct pid'sfor targets from the 'target_ids' file write callback('dbgfs_target_ids_write()'), but decr...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails When loading a device-mapper table for a request-based mapped device,and the allocation/initialization of the blk_mq_tag_set for the devicefails, a follo...
7.8CVSS
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tracing: Restructure trace_clock_global() to never block It was reported that a fix to the ring buffer recursion detection wouldcause a hung machine when performing suspend / resume testing. Thefollowing backtrace was extracted fro...
5.5CVSS
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: tools/power turbostat: Fix offset overflow issue in index converting The idx_to_offset() function returns type int (32-bit signed), butMSR_PKG_ENERGY_STAT is u32 and would be interpreted as a negative number.The end result is that ...
5.5CVSS
6.6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: core: Do core softreset when switch mode According to the programming guide, to switch mode for DRD controller,the driver needs to do the following. To switch from device to host: Reset controller with GCTL.CoreSoftReset...
5.5CVSS
6.3AI Score
0.0004EPSS