CVE-2024-50186

In the Linux kernel, the following vulnerability has been resolved: net: explicitly clear the sk pointer, when pf->create fails We have recently noticed the exact same KASAN splat as in commit6cd4a78d962b ("net: do not leave a dangling sk pointer, when socketcreation fails"). The problem is that...

CVE-2024-56653

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btmtk: avoid UAF in btmtk_process_coredump hci_devcd_append may lead to the release of the skb, so it cannot beaccessed once it is called. ==================================================================BUG: KASAN: sla...

CVE-2024-56670

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: u_serial: Fix the issue that gs_start_io crashed due to accessing null pointer Considering that in some extreme cases,when u_serial driver is accessed by multiple threads,Thread A is executing the open operation and ca...

CVE-2020-36781

In the Linux kernel, the following vulnerability has been resolved: i2c: imx: fix reference leak when pm_runtime_get_sync fails In i2c_imx_xfer() and i2c_imx_remove(), the pm reference countis not expected to be incremented on return. However, pm_runtime_get_sync will increment pm reference countev...

CVE-2021-46982

In the Linux kernel, the following vulnerability has been resolved: f2fs: compress: fix race condition of overwrite vs truncate pos_fsstress testcase complains a panic as belew: ------------[ cut here ]------------kernel BUG at fs/f2fs/compress.c:1082!invalid opcode: 0000 [#1] SMP PTICPU: 4 PID: 27...

CVE-2021-47172

In the Linux kernel, the following vulnerability has been resolved: iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers Channel numbering must start at 0 and then not have any holes, orit is possible to overflow the available storage. Note this bug wasintroduced as part o...

CVE-2021-47177

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix sysfs leak in alloc_iommu() iommu_device_sysfs_add() is called before, so is has to be cleaned on subsequenterrors.

CVE-2021-47461

In the Linux kernel, the following vulnerability has been resolved: userfaultfd: fix a race between writeprotect and exit_mmap() A race is possible when a process exits, its VMAs are removed byexit_mmap() and at the same time userfaultfd_writeprotect() is called. The race was detected by KASAN on a...

CVE-2022-48702

In the Linux kernel, the following vulnerability has been resolved: ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() The voice allocator sometimes begins allocating from near the end of thearray and then wraps around, however snd_emu10k1_pcm_channel_alloc()accesses the new...

CVE-2022-48842

In the Linux kernel, the following vulnerability has been resolved: ice: Fix race condition during interface enslave Commit 5dbbbd01cbba83 ("ice: Avoid RTNL lock when re-creatingauxiliary device") changes a process of re-creation of aux deviceso ice_plug_aux_dev() is called from ice_service_task() ...

CVE-2023-52481

In the Linux kernel, the following vulnerability has been resolved: arm64: errata: Add Cortex-A520 speculative unprivileged load workaround Implement the workaround for ARM Cortex-A520 erratum 2966298. On anaffected Cortex-A520 core, a speculatively executed unprivileged loadmight leak data from a ...

CVE-2023-52483

In the Linux kernel, the following vulnerability has been resolved: mctp: perform route lookups under a RCU read-side lock Our current route lookups (mctp_route_lookup and mctp_route_lookup_null)traverse the net's route list without the RCU read lock held. This meansthe route lookup is subject to p...

CVE-2023-52586

In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Add mutex lock in control vblank irq Add a mutex lock to control vblank irq to synchronize vblankenable/disable operations happening from different threads to preventrace conditions while registering/unregistering the ...

CVE-2023-52680

In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Add missing error checks to *_ctl_get() The ctl_get() functions which call scarlett2_update () were notchecking the return value. Fix to check the return value and pass tothe caller.

CVE-2023-52835

In the Linux kernel, the following vulnerability has been resolved: perf/core: Bail out early if the request AUX area is out of bound When perf-record with a large AUX area, e.g 4GB, it fails with: #perf record -C 0 -m ,4G -e arm_spe_0// -- sleep 1 failed to mmap with 12 (Cannot allocate memory) an...

CVE-2023-52902

In the Linux kernel, the following vulnerability has been resolved: nommu: fix memory leak in do_mmap() error path The preallocation of the maple tree nodes may leak if the error path to"error_just_free" is taken. Fix this by moving the freeing of the mapletree nodes to a shared location for all er...

CVE-2024-26673

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations Disallow families other than NFPROTO_{IPV4,IPV6,INET}. Disallow layer 4 protocol with no ports, since destination port is amandatory attribute for thi...

CVE-2024-26706

In the Linux kernel, the following vulnerability has been resolved: parisc: Fix random data corruption from exception handler The current exception handler implementation, which assists when accessinguser space memory, may exhibit random data corruption if the compiler decidesto use a different reg...

CVE-2024-35839

In the Linux kernel, the following vulnerability has been resolved: netfilter: bridge: replace physindev with physinif in nf_bridge_info An skb can be added to a neigh->arp_queue while waiting for an arpreply. Where original skb's skb->dev can be different to neigh'sneigh->dev. For instanc...

CVE-2024-35895

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Prevent lock inversion deadlock in map delete elem syzkaller started using corpuses where a BPF tracing program deleteselements from a sockmap/sockhash map. Because BPF tracing programs can beinvoked from any interrup...

CVE-2024-35907

In the Linux kernel, the following vulnerability has been resolved: mlxbf_gige: call request_irq() after NAPI initialized The mlxbf_gige driver encounters a NULL pointer exception inmlxbf_gige_open() when kdump is enabled. The sequence to reproducethe exception is as follows:a) enable kdumpb) trigg...

CVE-2024-38575

In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: pcie: handle randbuf allocation failure The kzalloc() in brcmf_pcie_download_fw_nvram() will return nullif the physical memory has run out. As a result, if we useget_random_bytes() to generate random bytes in the ra...

CVE-2024-39498

In the Linux kernel, the following vulnerability has been resolved: drm/mst: Fix NULL pointer dereference at drm_dp_add_payload_part2 [Why]Commit: commit 5aa1dfcdf0a4 ("drm/mst: Refactor the flow for payload allocation/removement")accidently overwrite the commit commit 54d217406afe ("drm: use mgr-&...

CVE-2024-40903

In the Linux kernel, the following vulnerability has been resolved: usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps There could be a potential use-after-free case intcpm_register_source_caps(). This could happen when: new (say invalid) source caps are advertised the existing ...

CVE-2024-40907

In the Linux kernel, the following vulnerability has been resolved: ionic: fix kernel panic in XDP_TX action In the XDP_TX path, ionic driver sends a packet to the TX path with rxpage and corresponding dma address.After tx is done, ionic_tx_clean() frees that page.But RX ring buffer isn't reset to ...

CVE-2024-42232

In the Linux kernel, the following vulnerability has been resolved: libceph: fix race between delayed_work() and ceph_monc_stop() The way the delayed work is handled in ceph_monc_stop() is prone toraces with mon_fault() and possibly also finish_hunting(). Both ofthese can requeue the delayed work w...

CVE-2024-42250

In the Linux kernel, the following vulnerability has been resolved: cachefiles: add missing lock protection when polling Add missing lock protection in poll routine when iterating xarray,otherwise: Even with RCU read lock held, only the slot of the radix tree isensured to be pinned there, while the...

CVE-2024-43882

In the Linux kernel, the following vulnerability has been resolved: exec: Fix ToCToU between perm check and set-uid/gid usage When opening a file for exec via do_filp_open(), permission checking isdone against the file's metadata at that moment, and on success, a filepointer is passed back. Much la...

CVE-2024-47707

In the Linux kernel, the following vulnerability has been resolved: ipv6: avoid possible NULL deref in rt6_uncached_list_flush_dev() Blamed commit accidentally removed a check for rt->rt6i_idev being NULL,as spotted by syzbot: Oops: general protection fault, probably for non-canonical address 0x...

CVE-2024-50015

In the Linux kernel, the following vulnerability has been resolved: ext4: dax: fix overflowing extents beyond inode size when partially writing The dax_iomap_rw() does two things in each iteration: map written blocksand copy user data to blocks. If the process is killed by user(See signalhandling i...

CVE-2024-50101

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix incorrect pci_for_each_dma_alias() for non-PCI devices Previously, the domain_context_clear() function incorrectly calledpci_for_each_dma_alias() to set up context entries for non-PCI devices.This could lead to kern...

CVE-2024-50115

In the Linux kernel, the following vulnerability has been resolved: KVM: nSVM: Ignore nCR3[4:0] when loading PDPTEs from memory Ignore nCR3[4:0] when loading PDPTEs from memory for nested SVM, as bits4:0 of CR3 are ignored when PAE paging is used, and thus VMRUN doesn'tenforce 32-byte alignment of ...

CVE-2024-50130

In the Linux kernel, the following vulnerability has been resolved: netfilter: bpf: must hold reference on net namespace BUG: KASAN: slab-use-after-free in __nf_unregister_net_hook+0x640/0x6b0Read of size 8 at addr ffff8880106fe400 by task repro/72=bpf_nf_link_release+0xda/0x1e0bpf_link_free+0x139/...

CVE-2024-50131

In the Linux kernel, the following vulnerability has been resolved: tracing: Consider the NULL character when validating the event length strlen() returns a string length excluding the null byte. If the stringlength equals to the maximum buffer length, the buffer will have nospace for the NULL term...

CVE-2024-50218

In the Linux kernel, the following vulnerability has been resolved: ocfs2: pass u64 to ocfs2_truncate_inline maybe overflow Syzbot reported a kernel BUG in ocfs2_truncate_inline. There are tworeasons for this: first, the parameter value passed is greater thanocfs2_max_inline_data_with_xattr, second...

CVE-2024-50261

In the Linux kernel, the following vulnerability has been resolved: macsec: Fix use-after-free while sending the offloading packet KASAN reports the following UAF. The metadata_dst, which is used tostore the SCI value for macsec offload, is already freed bymetadata_dst_free() in macsec_free_netdev(...

CVE-2024-56727

In the Linux kernel, the following vulnerability has been resolved: octeontx2-pf: handle otx2_mbox_get_rsp errors in otx2_flows.c Adding error pointer check after calling otx2_mbox_get_rsp().

CVE-2024-56752

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau/gr/gf100: Fix missing unlock in gf100_gr_chan_new() When the call to gf100_grctx_generate() fails, unlock gr->fecs.mutexbefore returning the error. Fixes smatch warning: drivers/gpu/drm/nouveau/nvkm/engine/gr/gf100.c...

CVE-2021-46986

In the Linux kernel, the following vulnerability has been resolved: usb: dwc3: gadget: Free gadget structure only after freeing endpoints As part of commit e81a7018d93a ("usb: dwc3: allocate gadget structuredynamically") the dwc3_gadget_release() was added which will freethe dwc->gadget structur...

CVE-2021-47124

In the Linux kernel, the following vulnerability has been resolved: io_uring: fix link timeout refs WARNING: CPU: 0 PID: 10242 at lib/refcount.c:28 refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28RIP: 0010:refcount_warn_saturate+0x15b/0x1a0 lib/refcount.c:28Call Trace:__refcount_sub_and_test in...

CVE-2021-47126

In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions Reported by syzbot:HEAD commit: 90c911ad Merge tag 'fixes' of git://git.kernel.org/pub/scm..git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux...

CVE-2021-47416

In the Linux kernel, the following vulnerability has been resolved: phy: mdio: fix memory leak Syzbot reported memory leak in MDIO bus interface, the problem was inwrong state logic. MDIOBUS_ALLOCATED indicates 2 states:1. Bus is only allocated2. Bus allocated and __mdiobus_register() fails, butdev...

CVE-2021-47466

In the Linux kernel, the following vulnerability has been resolved: mm, slub: fix potential memoryleak in kmem_cache_open() In error path, the random_seq of slub cache might be leaked. Fix thisby using __kmem_cache_release() to release all the relevant resources.

CVE-2022-48696

In the Linux kernel, the following vulnerability has been resolved: regmap: spi: Reserve space for register address/padding Currently the max_raw_read and max_raw_write limits in regmap_spi structdo not take into account the additional size of the transmitted registeraddress and padding. This may r...

CVE-2022-48839

In the Linux kernel, the following vulnerability has been resolved: net/packet: fix slab-out-of-bounds access in packet_recvmsg() syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESHand mmap operations, tpacket_rcv() is queueing skbs withgarbage in skb->cb[], triggering a too b...

CVE-2022-48934

In the Linux kernel, the following vulnerability has been resolved: nfp: flower: Fix a potential leak in nfp_tunnel_add_shared_mac() ida_simple_get() returns an id between min (0) and max (NFP_MAX_MAC_INDEX)inclusive.So NFP_MAX_MAC_INDEX (0xff) is a valid id. In order for the error handling path to...

CVE-2024-26635

In the Linux kernel, the following vulnerability has been resolved: llc: Drop support for ETH_P_TR_802_2. syzbot reported an uninit-value bug below. [0] llc supports ETH_P_802_2 (0x0004) and used to support ETH_P_TR_802_2(0x0011), and syzbot abused the latter to trigger the bug. write$tun(r0, &(0x7...

CVE-2024-26791

In the Linux kernel, the following vulnerability has been resolved: btrfs: dev-replace: properly validate device names There's a syzbot report that device name buffers passed to devicereplace are not properly checked for string termination which could leadto a read out of bounds in getname_kernel()...

CVE-2024-26864

In the Linux kernel, the following vulnerability has been resolved: tcp: Fix refcnt handling in __inet_hash_connect(). syzbot reported a warning in sk_nulls_del_node_init_rcu(). The commit 66b60b0c8c4a ("dccp/tcp: Unhash sk from ehash for tb2 allocfailure after check_estalblished().") tried to fix ...

CVE-2024-36972

In the Linux kernel, the following vulnerability has been resolved: af_unix: Update unix_sk(sk)->oob_skb under sk_receive_queue lock. Billy Jheng Bing-Jhong reported a race between __unix_gc() andqueue_oob(). __unix_gc() tries to garbage-collect close()d inflight sockets,and then if the socket h...