CVE-2024-44981

In the Linux kernel, the following vulnerability has been resolved: workqueue: Fix UBSAN 'subtraction overflow' error in shift_and_mask() UBSAN reports the following 'subtraction overflow' error when bootingin a virtual machine on Android: | Internal error: UBSAN: integer subtraction overflow: 0000...

CVE-2024-26808

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_chain_filter: handle NETDEV_UNREGISTER for inet/ingress basechain Remove netdevice from inet/ingress basechain in case NETDEV_UNREGISTERevent is reported, otherwise a stale reference to netdevice remains inthe hook l...

CVE-2024-36901

In the Linux kernel, the following vulnerability has been resolved: ipv6: prevent NULL dereference in ip6_output() According to syzbot, there is a chance that ip6_dst_idev()returns NULL in ip6_output(). Most places in IPv6 stackdeal with a NULL idev just fine, but not here. syzbot reported: general...

CVE-2024-39471

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: add error handle to avoid out-of-bounds if the sdma_v4_0_irq_id_to_seq return -EINVAL, the process shouldbe stop to avoid out-of-bounds read, so directly return -EINVAL.

CVE-2024-53053

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: core: Fix another deadlock during RTC update If ufshcd_rtc_work calls ufshcd_rpm_put_sync() and the pm's usage_countis 0, we will enter the runtime suspend callback. However, the runtimesuspend callback will wait to flus...

CVE-2024-53096

In the Linux kernel, the following vulnerability has been resolved: mm: resolve faulty mmap_region() error path behaviour The mmap_region() function is somewhat terrifying, with spaghetti-likecontrol flow and numerous means by which issues can arise and incompletestate, memory leaks and other unple...

CVE-2024-26633

In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: fix NEXTHDR_FRAGMENT handling in ip6_tnl_parse_tlv_enc_lim() syzbot pointed out [1] that NEXTHDR_FRAGMENT handling is broken. Reading frag_off can only be done if we pulled enough bytesto skb->head. Currently we migh...

CVE-2024-26671

In the Linux kernel, the following vulnerability has been resolved: blk-mq: fix IO hang from sbitmap wakeup race In blk_mq_mark_tag_wait(), __add_wait_queue() may be re-orderedwith the following blk_mq_get_driver_tag() in case of getting drivertag failure. Then in __sbitmap_queue_wake_up(), waitque...

CVE-2023-52581

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: fix memleak when more than 255 elements expired When more than 255 elements expired we're supposed to switch to a new gccontainer structure. This never happens: u8 type will wrap before reaching the boundaryan...

CVE-2023-52664

In the Linux kernel, the following vulnerability has been resolved: net: atlantic: eliminate double free in error handling logic Driver has a logic leak in ring data allocation/free,where aq_ring_free could be called multiple times on same ring,if system is under stress and got memory allocation er...

CVE-2024-26660

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Implement bounds check for stream encoder creation in DCN301 'stream_enc_regs' array is an array of dcn10_stream_enc_registersstructures. The array is initialized with four elements, correspondingto the four calls ...

CVE-2024-42244

In the Linux kernel, the following vulnerability has been resolved: USB: serial: mos7840: fix crash on resume Since commit c49cfa917025 ("USB: serial: use generic method if noalternative is provided in usb serial layer"), USB serial core calls thegeneric resume implementation when the driver has no...

CVE-2024-50033

In the Linux kernel, the following vulnerability has been resolved: slip: make slhc_remember() more robust against malicious packets syzbot found that slhc_remember() was missing checks againstmalicious packets [1]. slhc_remember() only checked the size of the packet was at least 20,which is not go...

CVE-2024-50058

In the Linux kernel, the following vulnerability has been resolved: serial: protect uart_port_dtr_rts() in uart_shutdown() too Commit af224ca2df29 (serial: core: Prevent unsafe uart port access, part3) added few uport == NULL checks. It added one to uart_shutdown(), sothe commit assumes, uport can ...

CVE-2021-47101

In the Linux kernel, the following vulnerability has been resolved: asix: fix uninit-value in asix_mdio_read() asix_read_cmd() may read less than sizeof(smsr) bytes and in this casesmsr will be uninitialized. Fail log:BUG: KMSAN: uninit-value in asix_check_host_enable drivers/net/usb/asix_common.c:...

CVE-2023-52530

In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211: fix potential key use-after-free When ieee80211_key_link() is called by ieee80211_gtk_rekey_add()but returns 0 due to KRACK protection (identical key reinstall),ieee80211_gtk_rekey_add() will still return a pointer ...

CVE-2023-52622

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid online resizing failures due to oversized flex bg When we online resize an ext4 filesystem with a oversized flexbg_size, mkfs.ext4 -F -G 67108864 $dev -b 4096 100M mount $dev $dir resize2fs $dev 16G the following WARN_O...

CVE-2024-26631

In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: fix data-race in ipv6_mc_down / mld_ifc_work idev->mc_ifc_count can be written over without proper locking. Originally found by syzbot [1], fix this issue by encapsulating callsto mld_ifc_stop_work() (and mld_gq_sto...

CVE-2024-26678

In the Linux kernel, the following vulnerability has been resolved: x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section The .compat section is a dummy PE section that contains the address ofthe 32-bit entrypoint of the 64-bit kernel image if it is bootable from32-bit firmware (i.e....

CVE-2024-26679

In the Linux kernel, the following vulnerability has been resolved: inet: read sk->sk_family once in inet_recv_error() inet_recv_error() is called without holding the socket lock. IPv6 socket could mutate to IPv4 with IPV6_ADDRFORMsocket option and trigger a KCSAN warning.

CVE-2024-26704

In the Linux kernel, the following vulnerability has been resolved: ext4: fix double-free of blocks due to wrong extents moved_len In ext4_move_extents(), moved_len is only updated when all moves aresuccessfully executed, and only discards orig_inode and donor_inodepreallocations when moved_len is ...

CVE-2024-26927

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Add some bounds checking to firmware data Smatch complains about "head->full_size - head->header_size" canunderflow. To some extent, we're always going to have to trust thefirmware a bit. However, it's easy enough ...

CVE-2024-35995

In the Linux kernel, the following vulnerability has been resolved: ACPI: CPPC: Use access_width over bit_width for system memory accesses To align with ACPI 6.3+, since bit_width can be any 8-bit value, itcannot be depended on to be always on a clean 8b boundary. This wasuncovered on the Cobalt 10...

CVE-2024-38619

In the Linux kernel, the following vulnerability has been resolved: usb-storage: alauda: Check whether the media is initialized The member "uzonesize" of struct alauda_info will remain 0if alauda_init_media() fails, potentially causing divide errorsin alauda_read_data() and alauda_write_lba(). Add ...

CVE-2024-42077

In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix DIO failure due to insufficient transaction credits The code in ocfs2_dio_end_io_write() estimates number of necessarytransaction credits using ocfs2_calc_extend_credits(). This however doesnot take into account that the...

CVE-2024-50047

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix UAF in async decryption Doing an async decryption (large read) crashes with aslab-use-after-free way down in the crypto API. Reproducer:# mount.cifs -o ...,seal,esize=1 //srv/share /mnt# dd if=/mnt/largefile of=/de...

CVE-2024-50064

In the Linux kernel, the following vulnerability has been resolved: zram: free secondary algorithms names We need to kfree() secondary algorithms names when reset zram device thathad multi-streams, otherwise we leak memory. [[email protected]: kfree(NULL) is legal]

CVE-2021-47222

In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix vlan tunnel dst refcnt when egressing The egress tunnel code uses dst_clone() and directly sets the resultwhich is wrong because the entry might have 0 refcnt or be already deleted,causing number of problems. It al...

CVE-2023-52623

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix a suspicious RCU usage warning I received the following warning while running cthon against an ontapserver running pNFS: [ 57.202521] =============================[ 57.202522] WARNING: suspicious RCU usage[ 57.202523] 6...

CVE-2024-23307

Integer Overflow or Wraparound vulnerability in Linux Linux kernel kernel on Linux, x86, ARM (md, raid, raid5 modules) allows Forced Integer Overflow.

CVE-2024-26669

In the Linux kernel, the following vulnerability has been resolved: net/sched: flower: Fix chain template offload When a qdisc is deleted from a net device the stack instructs theunderlying driver to remove its flow offload callback from theassociated filter block using the 'FLOW_BLOCK_UNBIND' comm...

CVE-2024-26774

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid dividing by 0 in mb_update_avg_fragment_size() when block bitmap corrupt Determine if bb_fragments is 0 instead of determining bb_free to eliminatethe risk of dividing by zero when the block bitmap is corrupted.

CVE-2024-26803

In the Linux kernel, the following vulnerability has been resolved: net: veth: clear GRO when clearing XDP even when down veth sets NETIF_F_GRO automatically when XDP is enabled,because both features use the same NAPI machinery. The logic to clear NETIF_F_GRO sits in veth_disable_xdp() whichis call...

CVE-2024-26949

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/pm: Fix NULL pointer dereference when get power limit Because powerplay_table initialization is skipped undersriov case, We check and set default lower and upper ODvalue if powerplay_table is NULL.

CVE-2024-27015

In the Linux kernel, the following vulnerability has been resolved: netfilter: flowtable: incorrect pppoe tuple pppoe traffic reaching ingress path does not match the flowtable entrybecause the pppoe header is expected to be at the network header offset.This bug causes a mismatch in the flow table ...

CVE-2024-35809

In the Linux kernel, the following vulnerability has been resolved: PCI/PM: Drain runtime-idle callbacks before driver removal A race condition between the .runtime_idle() callback and the .remove()callback in the rtsx_pcr PCI driver leads to a kernel crash due to anunhandled page fault [1]. The pr...

CVE-2024-42283

In the Linux kernel, the following vulnerability has been resolved: net: nexthop: Initialize all fields in dumped nexthops struct nexthop_grp contains two reserved fields that are not initialized bynla_put_nh_group(), and carry garbage. This can be observed e.g. withstrace (edited for clarity): # i...

CVE-2023-52806

In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: Fix possible null-ptr-deref when assigning a stream While AudioDSP drivers assign streams exclusively of HOST or LINK type,nothing blocks a user to attempt to assign a COUPLED stream. Assupplied substream instance may be...

CVE-2024-26638

In the Linux kernel, the following vulnerability has been resolved: nbd: always initialize struct msghdr completely syzbot complains that msg->msg_get_inq value can be uninitialized [1] struct msghdr got many new fields recently, we should always makesure their values is zero by default. [1]BUG:...

CVE-2024-26707

In the Linux kernel, the following vulnerability has been resolved: net: hsr: remove WARN_ONCE() in send_hsr_supervision_frame() Syzkaller reported [1] hitting a warning after failing to allocateresources for skb in hsr_init_skb(). Since a WARN_ONCE() call willnot help much in this case, it might b...

CVE-2024-26846

In the Linux kernel, the following vulnerability has been resolved: nvme-fc: do not wait in vain when unloading module The module exit path has race between deleting all controllers andfreeing 'left over IDs'. To prevent double free a synchronizationbetween nvme_delete_ctrl and ida_destroy has been...

CVE-2024-26919

In the Linux kernel, the following vulnerability has been resolved: usb: ulpi: Fix debugfs directory leak The ULPI per-device debugfs root is named after the ulpi device'sparent, but ulpi_unregister_interface tries to remove a debugfsdirectory named after the ulpi device itself. This results in the...

CVE-2024-35930

In the Linux kernel, the following vulnerability has been resolved: scsi: lpfc: Fix possible memory leak in lpfc_rcv_padisc() The call to lpfc_sli4_resume_rpi() in lpfc_rcv_padisc() may return anunsuccessful status. In such cases, the elsiocb is not issued, thecompletion is not called, and thus the...

CVE-2024-36940

In the Linux kernel, the following vulnerability has been resolved: pinctrl: core: delete incorrect free in pinctrl_enable() The "pctldev" struct is allocated in devm_pinctrl_register_and_init().It's a devm_ managed pointer that is freed by devm_pinctrl_dev_release(),so freeing it in pinctrl_enable...

CVE-2024-42268

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Fix missing lock on sync reset reload On sync reset reload work, when remote host updates devlink on reloadactions performed on that host, it misses taking devlink lock beforecalling devlink_remote_reload_actions_performe...

CVE-2024-44944

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: use helper function to calculate expect ID Delete expectation path is missing a call to the nf_expect_get_id()helper function to calculate the expectation ID, otherwise LSB of theexpectation object address is ...

CVE-2024-26687

In the Linux kernel, the following vulnerability has been resolved: xen/events: close evtchn after mapping cleanup shutdown_pirq and startup_pirq are not taking theirq_mapping_update_lock because they can't due to lock inversion. Bothare called with the irq_desc->lock being taking. The lock orde...

CVE-2024-26826

In the Linux kernel, the following vulnerability has been resolved: mptcp: fix data re-injection from stale subflow When the MPTCP PM detects that a subflow is stale, all the packetscheduler must re-inject all the mptcp-level unacked data. To avoidacquiring unneeded locks, it first try to check if ...

CVE-2024-26843

In the Linux kernel, the following vulnerability has been resolved: efi: runtime: Fix potential overflow of soft-reserved region size md_size will have been narrowed if we have >= 4GB worth of pages in asoft-reserved region.

CVE-2024-26890

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btrtl: fix out of bounds memory access The problem is detected by KASAN.btrtl driver uses private hci data to store 'struct btrealtek_data'.If btrtl driver is used with btusb, then memory for private hci datais allocated...