CVE-2024-36961

In the Linux kernel, the following vulnerability has been resolved: thermal/debugfs: Fix two locking issues with thermal zone debug With the current thermal zone locking arrangement in the debugfs code,user space can open the "mitigations" file for a thermal zone beforethe zone's debugfs pointer is...

CVE-2024-38604

In the Linux kernel, the following vulnerability has been resolved: block: refine the EOF check in blkdev_iomap_begin blkdev_iomap_begin rounds down the offset to the logical block sizebefore stashing it in iomap->offset and checking that it still isinside the inode size. Check the i_size check ...

CVE-2024-39506

In the Linux kernel, the following vulnerability has been resolved: liquidio: Adjust a NULL pointer handling path in lio_vf_rep_copy_packet In lio_vf_rep_copy_packet() pg_info->page is compared to a NULL value,but then it is unconditionally passed to skb_add_rx_frag() which looksstrange and coul...

CVE-2024-40922

In the Linux kernel, the following vulnerability has been resolved: io_uring/rsrc: don't lock while !TASK_RUNNING There is a report of io_rsrc_ref_quiesce() locking a mutex while notTASK_RUNNING, which is due to forgetting restoring the state back afterio_run_task_work_sig() and attempts to break o...

CVE-2024-40923

In the Linux kernel, the following vulnerability has been resolved: vmxnet3: disable rx data ring on dma allocation failure When vmxnet3_rq_create() fails to allocate memory for rq->data_ring.base,the subsequent call to vmxnet3_rq_destroy_all_rxdataring does not resetrq->data_ring.desc_size f...

CVE-2024-42243

In the Linux kernel, the following vulnerability has been resolved: mm/filemap: make MAX_PAGECACHE_ORDER acceptable to xarray Patch series "mm/filemap: Limit page cache size to that supported byxarray", v2. Currently, xarray can't support arbitrary page cache size. More detailscan be found from the...

CVE-2024-42315

In the Linux kernel, the following vulnerability has been resolved: exfat: fix potential deadlock on __exfat_get_dentry_set When accessing a file with more entries than ES_MAX_ENTRY_NUM, the bh-arrayis allocated in __exfat_get_entry_set. The problem is that the bh-array isallocated with GFP_KERNEL....

CVE-2024-50009

In the Linux kernel, the following vulnerability has been resolved: cpufreq: amd-pstate: add check for cpufreq_cpu_get's return value cpufreq_cpu_get may return NULL. To avoid NULL-dereference check itand return in case of error. Found by Linux Verification Center (linuxtesting.org) with SVACE.

CVE-2024-50099

In the Linux kernel, the following vulnerability has been resolved: arm64: probes: Remove broken LDR (literal) uprobe support The simulate_ldr_literal() and simulate_ldrsw_literal() functions areunsafe to use for uprobes. Both functions were originally written foruse with kprobes, and access memory...

CVE-2024-50191

In the Linux kernel, the following vulnerability has been resolved: ext4: don't set SB_RDONLY after filesystem errors When the filesystem is mounted with errors=remount-ro, we were settingSB_RDONLY flag to stop all filesystem modifications. We knew this missesproper locking (sb->s_umount) and do...

CVE-2024-53061

In the Linux kernel, the following vulnerability has been resolved: media: s5p-jpeg: prevent buffer overflows The current logic allows word to be less than 2. If this happens,there will be buffer overflows, as reported by smatch. Add extrachecks to prevent it. While here, remove an unused word = 0 ...

CVE-2021-47054

In the Linux kernel, the following vulnerability has been resolved: bus: qcom: Put child node before return Put child node before return to fix potential reference count leak.Generally, the reference count of child is incremented and decrementedautomatically in the macro for_each_available_child_of...

CVE-2021-47171

In the Linux kernel, the following vulnerability has been resolved: net: usb: fix memory leak in smsc75xx_bind Syzbot reported memory leak in smsc75xx_bind().The problem was is non-freed memory in case oferrors after memory allocation. backtrace:[] kmalloc include/linux/slab.h:556 [inline][] kzallo...

CVE-2021-47221

In the Linux kernel, the following vulnerability has been resolved: mm/slub: actually fix freelist pointer vs redzoning It turns out that SLUB redzoning ("slub_debug=Z") checks froms->object_size rather than from s->inuse (which is normally bumped tomake room for the freelist pointer), so a c...

CVE-2021-47400

In the Linux kernel, the following vulnerability has been resolved: net: hns3: do not allow call hns3_nic_net_open repeatedly hns3_nic_net_open() is not allowed to called repeatly, but thereis no checking for this. When doing device reset and setup tcconcurrently, there is a small oppotunity to cal...

CVE-2021-47408

In the Linux kernel, the following vulnerability has been resolved: netfilter: conntrack: serialize hash resizes and cleanups Syzbot was able to trigger the following warning [1] No repro found by syzbot yet but I was able to trigger similar issueby having 2 scripts running in parallel, changing co...

CVE-2021-47544

In the Linux kernel, the following vulnerability has been resolved: tcp: fix page frag corruption on page fault Steffen reported a TCP stream corruption for HTTP requestsserved by the apache web-server using a cifs mount-pointand memory mapping the relevant file. The root cause is quite similar to ...

CVE-2022-48686

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix UAF when detecting digest errors We should also bail from the io_work loop when we set rd_enabled to true,so we don't attempt to read data from the socket when the TCP stream isalready out-of-sync or corrupted.

CVE-2022-48772

In the Linux kernel, the following vulnerability has been resolved: media: lgdt3306a: Add a check against null-pointer-def The driver should check whether the client provides the platform_data. The following log reveals it: [ 29.610324] BUG: KASAN: null-ptr-deref in kmemdup+0x30/0x40[ 29.610730] Re...

CVE-2022-49034

In the Linux kernel, the following vulnerability has been resolved: sh: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS are selected,cpu_max_bits_warn() generates a runtime warning similar as below whenshowing /proc/cpuinfo. Fix this by ...

CVE-2023-52479

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix uaf in smb20_oplock_break_ack drop reference after use opinfo.

CVE-2023-52764

In the Linux kernel, the following vulnerability has been resolved: media: gspca: cpia1: shift-out-of-bounds in set_flicker Syzkaller reported the following issue:UBSAN: shift-out-of-bounds in drivers/media/usb/gspca/cpia1.c:1031:27shift exponent 245 is too large for 32-bit type 'int' When the valu...

CVE-2024-24860

A race condition was found in the Linux kernel's bluetooth device driver in {min,max}_key_size_set() function. This can result in a null pointer dereference issue, possibly leading to a kernel panic or denial of service issue.

CVE-2024-25740

A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBI_IOCATT, because kobj->name is not released.

CVE-2024-26694

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: fix double-free bug The storage for the TLV PC register data wasn't done like allthe other storage in the drv->fw area, which is cleared at theend of deallocation. Therefore, the freeing must also be donedifferent...

CVE-2024-26697

In the Linux kernel, the following vulnerability has been resolved: nilfs2: fix data corruption in dsync block recovery for small block sizes The helper function nilfs_recovery_copy_block() ofnilfs_recovery_dsync_blocks(), which recovers data from logs created bydata sync writes during a mount afte...

CVE-2024-35857

In the Linux kernel, the following vulnerability has been resolved: icmp: prevent possible NULL dereferences from icmp_build_probe() First problem is a double call to __in_dev_get_rcu(), becausethe second one could return NULL. if (__in_dev_get_rcu(dev) && __in_dev_get_rcu(dev)->ifa_list) Second...

CVE-2024-38540

In the Linux kernel, the following vulnerability has been resolved: bnxt_re: avoid shift undefined behavior in bnxt_qplib_alloc_init_hwq Undefined behavior is triggered when bnxt_qplib_alloc_init_hwq is calledwith hwq_attr->aux_depth != 0 and hwq_attr->aux_stride == 0.In that case, "roundup_p...

CVE-2024-39484

In the Linux kernel, the following vulnerability has been resolved: mmc: davinci: Don't strip remove function when driver is builtin Using __exit for the remove function results in the remove callback beingdiscarded with CONFIG_MMC_DAVINCI=y. When such a device gets unbound (e.g.using sysfs or hotp...

CVE-2024-40913

In the Linux kernel, the following vulnerability has been resolved: cachefiles: defer exposing anon_fd until after copy_to_user() succeeds After installing the anonymous fd, we can now see it in userland and closeit. However, at this point we may not have gotten the reference count ofthe cache, but...

CVE-2024-41023

In the Linux kernel, the following vulnerability has been resolved: sched/deadline: Fix task_struct reference leak During the execution of the following stress test with linux-rt: stress-ng --cyclic 30 --timeout 30 --minimize --quiet kmemleak frequently reported a memory leak concerning the task_st...

CVE-2024-41057

In the Linux kernel, the following vulnerability has been resolved: cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() We got the following issue in our fault injection stress test: ==================================================================BUG: KASAN: slab-use-after-free in...

CVE-2024-41082

In the Linux kernel, the following vulnerability has been resolved: nvme-fabrics: use reserved tag for reg read/write command In some scenarios, if too many commands are issued by nvme command inthe same time by user tasks, this may exhaust all tags of admin_q. Ifa reset (nvme reset or IO timeout) ...

CVE-2024-41085

In the Linux kernel, the following vulnerability has been resolved: cxl/mem: Fix no cxl_nvd during pmem region auto-assembling When CXL subsystem is auto-assembling a pmem region during cxlendpoint port probing, always hit below calltrace. BUG: kernel NULL pointer dereference, address: 000000000000...

CVE-2024-42123

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix double free err_addr pointer warnings In amdgpu_umc_bad_page_polling_timeout, the amdgpu_umc_handle_bad_pageswill be run many times so that double free err_addr in some special case.So set the err_addr to NULL to av...

CVE-2024-42132

In the Linux kernel, the following vulnerability has been resolved: bluetooth/hci: disallow setting handle bigger than HCI_CONN_HANDLE_MAX Syzbot hit warning in hci_conn_del() caused by freeing handle that wasnot allocated using ida allocator. This is caused by handle bigger than HCI_CONN_HANDLE_MA...

CVE-2024-43854

In the Linux kernel, the following vulnerability has been resolved: block: initialize integrity buffer to zero before writing it to media Metadata added by bio_integrity_prep is using plain kmalloc, which leadsto random kernel memory being written media. For PI metadata this islimited to the app ta...

CVE-2024-43865

In the Linux kernel, the following vulnerability has been resolved: s390/fpu: Re-add exception handling in load_fpu_state() With the recent rewrite of the fpu code exception handling for thelfpc instruction within load_fpu_state() was erroneously removed. Add it again to prevent that loading invali...

CVE-2024-43888

In the Linux kernel, the following vulnerability has been resolved: mm: list_lru: fix UAF for memory cgroup The mem_cgroup_from_slab_obj() is supposed to be called under rcu lock orcgroup_mutex or others which could prevent returned memcg from beingfreed. Fix it by adding missing rcu read lock. Fou...

CVE-2024-44965

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix pti_clone_pgtable() alignment assumption Guenter reported dodgy crashes on an i386-nosmp build using GCC-11that had the form of endless traps until entry stack exhaust and then#DF from the stack guard. It turned out tha...

CVE-2024-46783

In the Linux kernel, the following vulnerability has been resolved: tcp_bpf: fix return value of tcp_bpf_sendmsg() When we cork messages in psock->cork, the last message triggers theflushing will result in sending a sk_msg larger than the currentmessage size. In this case, in tcp_bpf_send_verdic...

CVE-2024-46867

In the Linux kernel, the following vulnerability has been resolved: drm/xe/client: fix deadlock in show_meminfo() There is a real deadlock as well as sleeping in atomic() bug in here, ifthe bo put happens to be the last ref, since bo destruction wants tograb the same spinlock and sleeping locks. Fi...

CVE-2024-47754

In the Linux kernel, the following vulnerability has been resolved: media: mediatek: vcodec: Fix H264 multi stateless decoder smatch warning Fix a smatch static checker warning on vdec_h264_req_multi_if.c.Which leads to a kernel crash when fb is NULL.

CVE-2024-49862

In the Linux kernel, the following vulnerability has been resolved: powercap: intel_rapl: Fix off by one in get_rpi() The rp->priv->rpi array is either rpi_msr or rpi_tpmi which haveNR_RAPL_PRIMITIVES number of elements. Thus the > needs to be >=to prevent an off by one access.

CVE-2024-49929

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: avoid NULL pointer dereference iwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvstapointer is not NULL.It retrieves this pointer using iwl_mvm_sta_from_mac80211, which isdereferencing the ieee80211...

CVE-2024-49936

In the Linux kernel, the following vulnerability has been resolved: net/xen-netback: prevent UAF in xenvif_flush_hash() During the list_for_each_entry_rcu iteration call of xenvif_flush_hash,kfree_rcu does not exist inside the rcu read critical section, so ifkfree_rcu is called when the rcu grace p...

CVE-2024-49949

In the Linux kernel, the following vulnerability has been resolved: net: avoid potential underflow in qdisc_pkt_len_init() with UFO After commit 7c6d2ecbda83 ("net: be more gentle about silly gsorequests coming from user") virtio_net_hdr_to_skb() had sanity checkto detect malicious attempts from us...

CVE-2024-50002

In the Linux kernel, the following vulnerability has been resolved: static_call: Handle module init failure correctly in static_call_del_module() Module insertion invokes static_call_add_module() to initialize the staticcalls in a module. static_call_add_module() invokes __static_call_init(),which ...

CVE-2024-50086

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix user-after-free from session log off There is racy issue between smb2 session log off and smb2 session setup.It will cause user-after-free from session log off.This add session_lock when setting SMB2_SESSION_EXPIRED and ...

CVE-2024-50163

In the Linux kernel, the following vulnerability has been resolved: bpf: Make sure internal and UAPI bpf_redirect flags don't overlap The bpf_redirect_info is shared between the SKB and XDP redirect paths,and the two paths use the same numeric flag values in the ri->flagsfield (specifically, BPF...