Linux Kernel Security Vulnerabilities
A flaw was found in pfn_swap_entry_to_page in memory management subsystem in the Linux Kernel. In this flaw, an attacker with a local user privilege may cause a denial of service problem due to a BUG statement referencing pmd_t x.
4.7CVSS
5.3AI Score
0.0004EPSS
A use-after-free vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited to achieve local privilege escalation. When the plug qdisc is used as a class of the qfq qdisc, sending network packets triggers use-after-free in qfq_dequeue() due to the incorrect .peek handler of s...
7.8CVSS
7.7AI Score
0.0004EPSS
sec_attest_info in drivers/accel/habanalabs/common/habanalabs_ioctl.c in the Linux kernel through 6.6.5 allows an information leak to user space because info->pad0 is not initialized.
5.5CVSS
5.7AI Score
0.0004EPSS
A flaw was found in KVM. An improper check in svm_set_x2apic_msr_interception() may allow direct access to host x2apic msrs when the guest resets its apic, potentially leading to a denial of service condition.
6CVSS
6.8AI Score
0.0004EPSS
In the Linux kernel before 6.4.12, amdgpu_cs_wait_all_fences in drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c has a fence use-after-free.
7.8CVSS
7.1AI Score
0.0004EPSS
In the Linux kernel before 6.4.5, drivers/gpu/drm/drm_atomic.c has a use-after-free during a race condition between a nonblocking atomic commit and a driver unload.
7CVSS
6.7AI Score
0.0004EPSS
A flaw was found in vringh_kiov_advance in drivers/vhost/vringh.c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor.
6.5CVSS
6.6AI Score
0.0004EPSS
A use-after-free vulnerability was found in drivers/nvme/target/tcp.cinnvmet_tcp_free_crypto` due to a logical bug in the NVMe/TCP subsystem in the Linux kernel. This issue may allow a malicious user to cause a use-after-free and double-free problem, which may permit remote code execution or lead t...
8.8CVSS
9.4AI Score
0.024EPSS
An issue was discovered in the Linux kernel before 6.6.8. do_vcc_ioctl in net/atm/ioctl.c has a use-after-free because of a vcc_recvmsg race condition.
7CVSS
6.9AI Score
0.0004EPSS
An issue was discovered in the Linux kernel before 6.6.8. atalk_ioctl in net/appletalk/ddp.c has a use-after-free because of an atalk_recvmsg race condition.
7CVSS
6.8AI Score
0.0004EPSS
An issue was discovered in the Linux kernel before 6.6.8. rose_ioctl in net/rose/af_rose.c has a use-after-free because of a rose_accept race condition.
7CVSS
6.8AI Score
0.0004EPSS
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Addition and removal of rules from chain bindings within the same transaction causes leads to use-after-free. We recommend upgrading past commit f15f29fd4779be...
7.8CVSS
6.8AI Score
0.0004EPSS
The IPv6 implementation in the Linux kernel before 6.3 has a net/ipv6/route.c max_size threshold that can be consumed easily, e.g., leading to a denial of service (network is unreachable errors) when IPv6 packets are sent in a loop via a raw socket.
7.5CVSS
6.6AI Score
0.0005EPSS
dm_table_create in drivers/md/dm-table.c in the Linux kernel through 6.7.4 can attempt to (in alloc_targets) allocate more than INT_MAX bytes, and crash, because of a missing check for struct dm_ioctl.target_count.
5.5CVSS
5.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction New elements in this transaction might expired before such transactionends. Skip sync GC for such elements otherwise commit path might walkover an already...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: smb: client: fix potential OOBs in smb2_parse_contexts() Validate offsets and lengths before dereferencing create contexts insmb2_parse_contexts(). This fixes following oops when accessing invalid create contexts fromserver: BUG: u...
8CVSS
5.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: net: prevent mss overflow in skb_segment() Once again syzbot is able to crash the kernel in skb_segment() [1] GSO_BY_FRAGS is a forbidden value, but unfortunately the followingcomputation in skb_segment() can reach it quite easily ...
5.5CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: f2fs: explicitly null-terminate the xattr list When setting an xattr, explicitly null-terminate the xattr list. Thiseliminates the fragile assumption that the unused xattr space is alwayszeroed.
7.8CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: binder: fix use-after-free in shinker's callback The mmap read lock is used during the shrinker's callback, which meansthat using alloc->vma pointer isn't safe as it can race with munmap().As of commit dd2283f2605e ("mm: mmap: z...
7.8CVSS
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: uio: Fix use-after-free in uio_open core-1 core-2 uio_unregister_device uio_openidev = idr_find()device_unregister(&idev->dev)put_device(&idev->dev)uio_device_releaseget_device(&idev->dev)kfree(idev)uio_free_minor(minor)ui...
7.8CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slub overflow in ksmbd_decode_ntlmssp_auth_blob() If authblob->SessionKey.Length is bigger than session keysize(CIFS_KEY_SIZE), slub overflow can happen in key exchange codes.cifs_arc4_crypt copy to session key array ...
7.8CVSS
7.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix out of bounds in init_smb2_rsp_hdr() If client send smb2 negotiate request and then send smb1 negotiaterequest, init_smb2_rsp_hdr is called for smb1 negotiate request sinceneed_neg is set to false. This patch ignore smb1...
7.8CVSS
7.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate session id and tree id in compound request smb2_get_msg() in smb2_get_ksmbd_tcon() and smb2_check_user_session()will always return the first request smb2 header in a compound request.if SMB2_TREE_CONNECT_HE is the f...
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: apparmor: avoid crash when parsed profile name is empty When processing a packed profile in unpack_profile() described like "profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}" a string ":samba-dcerpcd" is unpa...
5.5CVSS
4.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid dirent corruption As Al reported in link[1]: f2fs_rename()...if (old_dir != new_dir && !whiteout)f2fs_set_link(old_inode, old_dir_entry,old_dir_page, new_dir);elsef2fs_put_page(old_dir_page, 0); You want correct ...
7.8CVSS
7.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: media: pvrusb2: fix use after free on context disconnection Upon module load, a kthread is created targeting thepvr2_context_thread_func function, which may call pvr2_context_destroyand thus call kfree() on the context object. Howe...
7.8CVSS
7.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix a race condition between btf_put() and map_free() When running ./test_progs -j in my local vm with latest kernel,I once hit a kasan error like below: [ 1887.184724] BUG: KASAN: slab-use-after-free in bpf_rb_root_free+0x1f8...
7.8CVSS
7.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Defer the free of inner map when necessary When updating or deleting an inner map in map array or map htab, the mapmay still be accessed by non-sleepable program or sleepable program.However bpf_map_fd_put_ptr() decreases the ...
7.8CVSS
7.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: gfs2: Fix kernel NULL pointer dereference in gfs2_rgrp_dump Syzkaller has reported a NULL pointer dereference when accessingrgd->rd_rgl in gfs2_rgrp_dump(). This can happen when creatingrgd->rd_gl fails in read_rindex_entry()...
5.5CVSS
5.8AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mtd: Fix gluebi NULL pointer dereference caused by ftl notifier If both ftl.ko and gluebi.ko are loaded, the notifier of ftltriggers NULL pointer dereference when trying to access‘gluebi->desc’ in gluebi_read(). ubi_gluebi_initu...
5.5CVSS
5.9AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/uncore: Fix NULL pointer dereference issue in upi_fill_topology() Get logical socket id instead of physical id in discover_upi_topology()to avoid out-of-bound access on 'upi = &type->topology[nid][idx];' linethat ...
5.5CVSS
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/memhp: Fix access beyond end of drmem array dlpar_memory_remove_by_index() may access beyond the bounds of thedrmem lmb array when the LMB lookup fails to match an entry with thegiven DRC index. When the search fail...
7.8CVSS
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix accesses to uninit stack slots Privileged programs are supposed to be able to read uninitialized stackmemory (ever since 6715df8d5) but, before this patch, these accesseswere permitted inconsistently. In particular, access...
7.8CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: hisi_acc_vfio_pci: Update migration data pointer correctly on saving/resume When the optional PRE_COPY support was added to speed up the devicecompatibility check, it failed to update the saving/resuming datapointers based on the f...
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length If the host sends an H2CData command with an invalid DATAL,the kernel may crash in nvmet_tcp_build_pdu_iovec(). Unable to handle kernel NULL pointer dereferenc...
5.5CVSS
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: iommu: Don't reserve 0-length IOVA region When the bootloader/firmware doesn't setup the framebuffers, theiraddress and size are 0 in "iommu-addresses" property. If IOVA region isreserved with 0 length, then it ends up corrupting t...
7.8CVSS
6.2AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: serial: imx: fix tx statemachine deadlock When using the serial port as RS485 port, the tx statemachine is used tocontrol the RTS pin to drive the RS485 transceiver TX_EN pin. When theTTY port is closed in the middle of a transmiss...
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: serial: 8250: omap: Don't skip resource freeing if pm_runtime_resume_and_get() failed Returning an error code from .remove() makes the driver core emit thelittle helpful error message: remove callback returned a non-zero value. Thi...
7.8CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: block: add check that partition length needs to be aligned with block size Before calling add partition or resize partition, there is no checkon whether the length is aligned with the logical block size.If the logical block size of...
5.5CVSS
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: media: v4l: async: Fix duplicated list deletion The list deletion call dropped here is already called from thehelper function in the line before. Having a second list_del()call results in either a warning (with CONFIG_DEBUG_LIST=y)...
5.5CVSS
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Fix NULL pointer dereference at hibernate During hibernate sequence the source context might not have a clk_mgr.So don't use it to look for DML2 support.
5.5CVSS
6.7AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix bounds limiting when given a malformed entity If we're given a malformed entity in drm_sched_entity_init()--shouldn'thappen, but we verify--with out-of-bounds priority value, we set it to anallowed value. Fix the exp...
6.5AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: bpf: fix check for attempt to corrupt spilled pointer When register is spilled onto a stack as a 1/2/4-byte register, we setslot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,depending on actual spill size). So to chec...
5.5CVSS
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: efivarfs: force RO when remounting if SetVariable is not supported If SetVariable at runtime is not supported by the firmware we never assigna callback for that function. At the same time mount the efivarfs asRO so no one can call ...
5.5CVSS
6AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: EDAC/thunderx: Fix possible out-of-bounds string access Enabling -Wstringop-overflow globally exposes a warning for a common bugin the usage of strncat(): drivers/edac/thunderx_edac.c: In function 'thunderx_ocx_com_threaded_isr':dr...
7.8CVSS
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: power: supply: Fix null pointer dereference in smb2_probe devm_kasprintf and devm_kzalloc return a pointer to dynamicallyallocated memory which can be NULL upon failure.
5.5CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: mfd: syscon: Fix null pointer dereference in of_syscon_register() kasprintf() returns a pointer to dynamically allocated memorywhich can be NULL upon failure.
5.5CVSS
6.1AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: class: fix use-after-free in class_register() The lock_class_key is still registered and can be found inlock_keys_hash hlist after subsys_private is freed in errorhandler path.A task who iterate over the lock_keys_hashlater may cau...
7.8CVSS
6.4AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drivers/amd/pm: fix a use-after-free in kv_parse_power_table When ps allocated by kzalloc equals to NULL, kv_parse_power_tablefrees adev->pm.dpm.ps that allocated before. However, after the controlflow goes through the following...
7.8CVSS
6.3AI Score
0.0004EPSS
In the Linux kernel, the following vulnerability has been resolved: drm/radeon: check the alloc_workqueue return value in radeon_crtc_init() check the alloc_workqueue return value in radeon_crtc_init()to avoid null-ptr-deref.
5.5CVSS
6.1AI Score
0.0004EPSS