CVE-2023-52639

In the Linux kernel, the following vulnerability has been resolved: KVM: s390: vsie: fix race during shadow creation Right now it is possible to see gmap->private being zero inkvm_s390_vsie_gmap_notifier resulting in a crash. This is due to thefact that we add gmap->private == kvm after creat...

CVE-2023-52667

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: fix a potential double-free in fs_any_create_groups When kcalloc() for ft->g succeeds but kvzalloc() for in fails,fs_any_create_groups() will free ft->g. However, its callerfs_any_create_table() will free ft->g ...

CVE-2023-52859

In the Linux kernel, the following vulnerability has been resolved: perf: hisi: Fix use-after-free when register pmu fails When we fail to register the uncore pmu, the pmu context may not beenallocated. The error handing will call cpuhp_state_remove_instance()to call uncore pmu offline callback, wh...

CVE-2023-52885

In the Linux kernel, the following vulnerability has been resolved: SUNRPC: Fix UAF in svc_tcp_listen_data_ready() After the listener svc_sock is freed, and before invoking svc_tcp_accept()for the established child sock, there is a window that the newsockretaining a freed listener svc_sock in sk_us...

CVE-2024-26702

In the Linux kernel, the following vulnerability has been resolved: iio: magnetometer: rm3100: add boundary check for the value read from RM3100_REG_TMRC Recently, we encounter kernel crash in function rm3100_common_probecaused by out of bound access of array rm3100_samp_rates (because ofunderlying...

CVE-2024-26737

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix racing between bpf_timer_cancel_and_free and bpf_timer_cancel The following race is possible between bpf_timer_cancel_and_freeand bpf_timer_cancel. It will lead a UAF on the timer->timer. bpf_timer_cancel();spin_lock();...

CVE-2024-26881

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix kernel crash when 1588 is received on HIP08 devices The HIP08 devices does not register the ptp devices, so thehdev->ptp is NULL, but the hardware can receive 1588 messages,and set the HNS3_RXD_TS_VLD_B bit, so, i...

CVE-2024-26888

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: msft: Fix memory leak Fix leaking buffer allocated to send MSFT_OP_LE_MONITOR_ADVERTISEMENT.

CVE-2024-27417

In the Linux kernel, the following vulnerability has been resolved: ipv6: fix potential "struct net" leak in inet6_rtm_getaddr() It seems that if userspace provides a correct IFA_TARGET_NETNSID valuebut no IFA_ADDRESS and IFA_LOCAL attributes, inet6_rtm_getaddr()returns -EINVAL with an elevated "st...

CVE-2024-36007

In the Linux kernel, the following vulnerability has been resolved: mlxsw: spectrum_acl_tcam: Fix warning during rehash As previously explained, the rehash delayed work migrates filters fromone region to another. This is done by iterating over all chunks (allthe filters with the same priority) in t...

CVE-2024-36929

In the Linux kernel, the following vulnerability has been resolved: net: core: reject skb_copy(_expand) for fraglist GSO skbs SKB_GSO_FRAGLIST skbs must not be linearized, otherwise they becomeinvalid. Return NULL if such an skb is passed to skb_copy orskb_copy_expand, in order to prevent a crash o...

CVE-2024-36967

In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix memory leak in tpm2_key_encode() 'scratch' is never freed. Fix this by calling kfree() in the success, andin the error case.

CVE-2024-39298

In the Linux kernel, the following vulnerability has been resolved: mm/memory-failure: fix handling of dissolved but not taken off from buddy pages When I did memory failure tests recently, below panic occurs: page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x8cee00flags: 0x6fffe...

CVE-2024-40974

In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Enforce hcall result buffer validity and size plpar_hcall(), plpar_hcall9(), and related functions expect callers toprovide valid result buffers of certain minimum size. Currently thisis communicated only through c...

CVE-2024-41058

In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in fscache_withdraw_volume() We got the following issue in our fault injection stress test: ==================================================================BUG: KASAN: slab-use-after-free in fs...

CVE-2024-41079

In the Linux kernel, the following vulnerability has been resolved: nvmet: always initialize cqe.result The spec doesn't mandate that the first two double words (aka results)for the command queue entry need to be set to 0 when they are notused (not specified). Though, the target implemention return...

CVE-2024-42074

In the Linux kernel, the following vulnerability has been resolved: ASoC: amd: acp: add a null check for chip_pdev structure When acp platform device creation is skipped, chip->chip_pdev value willremain NULL. Add NULL check for chip->chip_pdev structure insnd_acp_resume() function to avoid n...

CVE-2024-43884

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: MGMT: Add error handling to pair_device() hci_conn_params_add() never checks for a NULL value and could lead to a NULLpointer dereference causing a crash. Fixed by adding error handling in the function.

CVE-2024-46673

In the Linux kernel, the following vulnerability has been resolved: scsi: aacraid: Fix double-free on probe failure aac_probe_one() calls hardware-specific init functions through theaac_driver_ident::init pointer, all of which eventually call down toaac_init_adapter(). If aac_init_adapter() fails a...

CVE-2024-49927

In the Linux kernel, the following vulnerability has been resolved: x86/ioapic: Handle allocation failures gracefully Breno observed panics when using failslab under certain conditions duringruntime: can not alloc irq_pin_list (-1,0,20)Kernel panic - not syncing: IO-APIC: failed to add irq-pin. Can...

CVE-2024-49944

In the Linux kernel, the following vulnerability has been resolved: sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start In sctp_listen_start() invoked by sctp_inet_listen(), it should set thesk_state back to CLOSED if sctp_autobind() fails due to whatever reason. Otherwise, nex...

CVE-2024-50019

In the Linux kernel, the following vulnerability has been resolved: kthread: unpark only parked kthread Calling into kthread unparking unconditionally is mostly harmless whenthe kthread is already unparked. The wake up is then simply ignoredbecause the target is not in TASK_PARKED state. However if...

CVE-2024-50068

In the Linux kernel, the following vulnerability has been resolved: mm/damon/tests/sysfs-kunit.h: fix memory leak in damon_sysfs_test_add_targets() The sysfs_target->regions allocated in damon_sysfs_regions_alloc() is notfreed in damon_sysfs_test_add_targets(), which cause the following memoryle...

CVE-2024-50162

In the Linux kernel, the following vulnerability has been resolved: bpf: devmap: provide rxq after redirect rxq contains a pointer to the device from wherethe redirect happened. Currently, the BPF programthat was executed after a redirect via BPF_MAP_TYPE_DEVMAP*does not have it set. This is partic...

CVE-2024-53091

In the Linux kernel, the following vulnerability has been resolved: bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx As the introduction of the support for vsock and unix sockets in sockmap,tls_sw_has_ctx_tx/rx cannot presume the socket passed in must be IS_ICSK.vsock and af_unix socke...

CVE-2024-53100

In the Linux kernel, the following vulnerability has been resolved: nvme: tcp: avoid race between queue_lock lock and destroy Commit 76d54bf20cdc ("nvme-tcp: don't access released socket duringerror recovery") added a mutex_lock() call for the queue->queue_lockin nvme_tcp_get_address(). However,...

CVE-2024-53101

In the Linux kernel, the following vulnerability has been resolved: fs: Fix uninitialized value issue in from_kuid and from_kgid ocfs2_setattr() uses attr->ia_mode, attr->ia_uid and attr->ia_gid ina trace point even though ATTR_MODE, ATTR_UID and ATTR_GID aren't set. Initialize all fields ...

CVE-2024-56567

In the Linux kernel, the following vulnerability has been resolved: ad7780: fix division by zero in ad7780_write_raw() In the ad7780_write_raw() , val2 can be zero, which might lead to adivision by zero error in DIV_ROUND_CLOSEST(). The ad7780_write_raw()is based on iio_info's write_raw. While val ...

CVE-2024-56729

In the Linux kernel, the following vulnerability has been resolved: smb: Initialize cfid->tcon before performing network ops Avoid leaking a tcon ref when a lease break races with opening thecached directory. Processing the leak break might take a reference tothe tcon in cached_dir_lease_break()...

CVE-2024-56755

In the Linux kernel, the following vulnerability has been resolved: netfs/fscache: Add a memory barrier for FSCACHE_VOLUME_CREATING In fscache_create_volume(), there is a missing memory barrier between thebit-clearing operation and the wake-up operation. This may cause asituation where, after a wak...

CVE-2021-46993

In the Linux kernel, the following vulnerability has been resolved: sched: Fix out-of-bound access in uclamp Util-clamp places tasks in different buckets based on their clamp valuesfor performance reasons. However, the size of buckets is currentlycomputed using a rounding division, which can lead t...

CVE-2021-47056

In the Linux kernel, the following vulnerability has been resolved: crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init ADF_STATUS_PF_RUNNING is (only) used and checked by adf_vf2pf_shutdown()before calling adf_iov_putmsg()->mutex_lock(vf2pf_lock), however thevf2pf_lock is initi...

CVE-2021-47080

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Prevent divide-by-zero error triggered by the user The user_entry_size is supplied by the user and later used as adenominator to calculate number of entries. The zero supplied by the userwill trigger the following divide...

CVE-2021-47153

In the Linux kernel, the following vulnerability has been resolved: i2c: i801: Don't generate an interrupt on bus reset Now that the i2c-i801 driver supports interrupts, setting the KILL bitin a attempt to recover from a timed out transaction triggers aninterrupt. Unfortunately, the interrupt handl...

CVE-2021-47191

In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Fix out-of-bound read in resp_readcap16() The following warning was observed running syzkaller: [ 3813.830724] sg_write: data in/out 65466/242 bytes for SCSI command 0x9e-- guessing data in;[ 3813.830724] program ...

CVE-2021-47491

In the Linux kernel, the following vulnerability has been resolved: mm: khugepaged: skip huge page collapse for special files The read-only THP for filesystems will collapse THP for files openedreadonly and mapped with VM_EXEC. The intended usecase is to avoid TLBmisses for large text segments. But...

CVE-2022-48630

In the Linux kernel, the following vulnerability has been resolved: crypto: qcom-rng - fix infinite loop on requests not multiple of WORD_SZ The commit referenced in the Fixes tag removed the 'break' from the elsebranch in qcom_rng_read(), causing an infinite loop whenever 'max' isnot a multiple of...

CVE-2022-48912

In the Linux kernel, the following vulnerability has been resolved: netfilter: fix use-after-free in __nf_register_net_hook() We must not dereference @new_hooks after nf_hook_mutex has been released,because other threads might have freed our allocated hooks already. BUG: KASAN: use-after-free in nf...

CVE-2022-49006

In the Linux kernel, the following vulnerability has been resolved: tracing: Free buffers when a used dynamic event is removed After 65536 dynamic events have been added and removed, the "type" fieldof the event then uses the first type number that is available (notcurrently used by other events). ...

CVE-2023-52609

In the Linux kernel, the following vulnerability has been resolved: binder: fix race between mmput() and do_exit() Task A calls binder_update_page_range() to allocate and insert pages ona remote address space from Task B. For this, Task A pins the remote mmvia mmget_not_zero() first. This can race ...

CVE-2023-52672

In the Linux kernel, the following vulnerability has been resolved: pipe: wakeup wr_wait after setting max_usage Commit c73be61cede5 ("pipe: Add general notification queue support") aregression was introduced that would lock up resized pipes under certainconditions. See the reproducer in [1]. The c...

CVE-2023-52675

In the Linux kernel, the following vulnerability has been resolved: powerpc/imc-pmu: Add a null pointer check in update_events_in_group() kasprintf() returns a pointer to dynamically allocated memorywhich can be NULL upon failure.

CVE-2024-20040

In wlan firmware, there is a possible out of bounds write due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08360153 (for MT6XXX chipsets) / WCNCR00363530...

CVE-2024-26893

In the Linux kernel, the following vulnerability has been resolved: firmware: arm_scmi: Fix double free in SMC transport cleanup path When the generic SCMI code tears down a channel, it calls the chan_freecallback function, defined by each transport. Since multiple protocolsmight share the same tra...

CVE-2024-26896

In the Linux kernel, the following vulnerability has been resolved: wifi: wfx: fix memory leak when starting AP Kmemleak reported this error: unreferenced object 0xd73d1180 (size 184): comm "wpa_supplicant", pid 1559, jiffies 13006305 (age 964.245s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 0...

CVE-2024-27023

In the Linux kernel, the following vulnerability has been resolved: md: Fix missing release of 'active_io' for flush submit_flushesatomic_set(&mddev->flush_pending, 1);rdev_for_each_rcu(rdev, mddev)atomic_inc(&mddev->flush_pending);bi->bi_end_io = md_end_flushsubmit_bio(bi);/* flush io is ...

CVE-2024-27050

In the Linux kernel, the following vulnerability has been resolved: libbpf: Use OPTS_SET() macro in bpf_xdp_query() When the feature_flags and xdp_zc_max_segs fields were added to the libbpfbpf_xdp_query_opts, the code writing them did not use the OPTS_SET() macro.This causes libbpf to write to tho...

CVE-2024-35982

In the Linux kernel, the following vulnerability has been resolved: batman-adv: Avoid infinite loop trying to resize local TT If the MTU of one of an attached interface becomes too small to transmitthe local translation table then it must be resized to fit inside allfragments (when enabled) or a si...

CVE-2024-36028

In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix DEBUG_LOCKS_WARN_ON(1) when dissolve_free_hugetlb_folio() When I did memory failure tests recently, below warning occurs: DEBUG_LOCKS_WARN_ON(1)WARNING: CPU: 8 PID: 1011 at kernel/locking/lockdep.c:232 __lock_acquir...

CVE-2024-36884

In the Linux kernel, the following vulnerability has been resolved: iommu/arm-smmu: Use the correct type in nvidia_smmu_context_fault() This was missed because of the function pointer indirection. nvidia_smmu_context_fault() is also installed as a irq function, and the'void *' was changed to a stru...