6925 matches found
CVE-2011-2700
Multiple buffer overflows in the si4713_write_econtrol_string function in drivers/media/radio/si4713-i2c.c in the Linux kernel before 2.6.39.4 on the N900 platform might allow local users to cause a denial of service or have unspecified other impact via a crafted s_ext_ctrls operation with a (1) V4...
CVE-2011-4913
The rose_parse_ccitt function in net/rose/rose_subr.c in the Linux kernel before 2.6.39 does not validate the FAC_CCITT_DEST_NSAP and FAC_CCITT_SRC_NSAP fields, which allows remote attackers to (1) cause a denial of service (integer underflow, heap memory corruption, and panic) via a small length v...
CVE-2012-2745
The copy_creds function in kernel/cred.c in the Linux kernel before 3.3.2 provides an invalid replacement session keyring to a child process, which allows local users to cause a denial of service (panic) via a crafted application that uses the fork system call.
CVE-2012-5517
The online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator...
CVE-2013-6376
The recalculate_apic_map function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (host OS crash) via a crafted ICR write operation in x2apic mode.
CVE-2014-5206
The do_remount function in fs/namespace.c in the Linux kernel through 3.16.1 does not maintain the MNT_LOCK_READONLY bit across a remount of a bind mount, which allows local users to bypass an intended read-only restriction and defeat certain sandbox protection mechanisms via a "mount -o remount" c...
CVE-2014-9717
fs/namespace.c in the Linux kernel before 4.0.2 processes MNT_DETACH umount2 system calls without verifying that the MNT_LOCKED flag is unset, which allows local users to bypass intended access restrictions and navigate to filesystem locations beneath a mount by calling umount2 within a user namesp...
CVE-2016-2066
Integer signedness error in the MSM QDSP6 audio driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges or cause a denial of service (memory corruption) via a crafted application that...
CVE-2016-5340
The is_ashmem_file function in drivers/staging/android/ashmem.c in a certain Qualcomm Innovation Center (QuIC) Android patch for the Linux kernel 3.x mishandles pointer validation within the KGSL Linux Graphics Module, which allows attackers to bypass intended access restrictions by using the /ashm...
CVE-2017-18552
An issue was discovered in net/rds/af_rds.c in the Linux kernel before 4.11. There is an out of bounds write and read in the function rds_recv_track_latency.
CVE-2020-27784
A vulnerability was found in the Linux kernel, where accessing a deallocated instance in printer_ioctl() printer_ioctl() tries to access of a printer_dev instance. However, use-after-free arises because it had been freed by gprinter_free().
CVE-2021-3736
A flaw was found in the Linux kernel. A memory leak problem was found in mbochs_ioctl in samples/vfio-mdev/mbochs.c in Virtual Function I/O (VFIO) Mediated devices. This flaw could allow a local attacker to leak internal kernel information.
CVE-2021-47114
In the Linux kernel, the following vulnerability has been resolved: ocfs2: fix data corruption by fallocate When fallocate punches holes out of inode size, if original isize is inthe middle of last cluster, then the part from isize to the end of thecluster will be zeroed with buffer write, at that ...
CVE-2021-47120
In the Linux kernel, the following vulnerability has been resolved: HID: magicmouse: fix NULL-deref on disconnect Commit 9d7b18668956 ("HID: magicmouse: add support for Apple MagicTrackpad 2") added a sanity check for an Apple trackpad but returnedsuccess instead of -ENODEV when the check failed. T...
CVE-2021-47139
In the Linux kernel, the following vulnerability has been resolved: net: hns3: put off calling register_netdev() until client initialize complete Currently, the netdevice is registered before client initializingcomplete. So there is a timewindow between netdevice availableand usable. In this case, ...
CVE-2021-47146
In the Linux kernel, the following vulnerability has been resolved: mld: fix panic in mld_newpack() mld_newpack() doesn't allow to allocate high order page,only order-0 allocation is allowed.If headroom size is too large, a kernel panic could occur in skb_put(). Test commands:ip netns del Aip netns...
CVE-2021-47158
In the Linux kernel, the following vulnerability has been resolved: net: dsa: sja1105: add error handling in sja1105_setup() If any of sja1105_static_config_load(), sja1105_clocking_setup() orsja1105_devlink_setup() fails, we can't just return in the middle ofsja1105_setup() or memory will leak. Ad...
CVE-2021-47209
In the Linux kernel, the following vulnerability has been resolved: sched/fair: Prevent dead task groups from regaining cfs_rq's Kevin is reporting crashes which point to a use-after-free of a cfs_rqin update_blocked_averages(). Initial debugging revealed that we'velive cfs_rq's (on_list=1) in an a...
CVE-2021-47223
In the Linux kernel, the following vulnerability has been resolved: net: bridge: fix vlan tunnel dst null pointer dereference This patch fixes a tunnel_dst null pointer dereference due to locklessaccess in the tunnel egress path. When deleting a vlan tunnel thetunnel_dst pointer is set to NULL with...
CVE-2021-47283
In the Linux kernel, the following vulnerability has been resolved: net:sfc: fix non-freed irq in legacy irq mode SFC driver can be configured via modparam to work using MSI-X, MSI orlegacy IRQ interrupts. In the last one, the interrupt was not properlyreleased on module remove. It was not freed be...
CVE-2021-47295
In the Linux kernel, the following vulnerability has been resolved: net: sched: fix memory leak in tcindex_partial_destroy_work Syzbot reported memory leak in tcindex_set_parms(). The problem was innon-freed perfect hash in tcindex_partial_destroy_work(). In tcindex_set_parms() new tcindex_data is ...
CVE-2021-47309
In the Linux kernel, the following vulnerability has been resolved: net: validate lwtstate->data before returning from skb_tunnel_info() skb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_infotype without validation. lwtstate->data can have various types such asmpls_iptunnel_...
CVE-2021-47343
In the Linux kernel, the following vulnerability has been resolved: dm btree remove: assign new_root only when removal succeeds remove_raw() in dm_btree_remove() may fail due to IO read error(e.g. read the content of origin block fails during shadowing),and the value of shadow_spine::root is uninit...
CVE-2021-47351
In the Linux kernel, the following vulnerability has been resolved: ubifs: Fix races between xattr_{set|get} and listxattr operations UBIFS may occur some problems with concurrent xattr_{set|get} andlistxattr operations, such as assertion failure, memory corruption,stale xattr value[1]. Fix it by i...
CVE-2021-47382
In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix deadlock during failing recovery Commit 0b9902c1fcc5 ("s390/qeth: fix deadlock during recovery") removedtaking discipline_mutex inside qeth_do_reset(), fixing potentialdeadlocks. An error path was missed though, that...
CVE-2021-47390
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Fix stack-out-of-bounds memory access from ioapic_write_indirect() KASAN reports the following issue: BUG: KASAN: stack-out-of-bounds in kvm_make_vcpus_request_mask+0x174/0x440 [kvm]Read of size 8 at addr ffffc9001364f638...
CVE-2021-47394
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unlink table before deleting it syzbot reports following UAF:BUG: KASAN: use-after-free in memcmp+0x18f/0x1c0 lib/string.c:955nla_strcmp+0xf2/0x130 lib/nlattr.c:836nft_table_lookup.part.0+0x1a2/0x460 net/netfi...
CVE-2021-47476
In the Linux kernel, the following vulnerability has been resolved: comedi: ni_usb6501: fix NULL-deref in command paths The driver uses endpoint-sized USB transfer buffers but had no sanitychecks on the sizes. This can lead to zero-size-pointer dereferences oroverflowed transfer buffers in ni6501_p...
CVE-2021-47670
In the Linux kernel, the following vulnerability has been resolved: can: peak_usb: fix use after free bugs After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe.Especially, the can_frame cf which aliases skb memory is accessedafter the peak_usb_netif_rx_ni(). Reordering the lines sol...
CVE-2022-48692
In the Linux kernel, the following vulnerability has been resolved: RDMA/srp: Set scmnd->result only when scmnd is not NULL This change fixes the following kernel NULL pointer dereferencewhich is reproduced by blktests srp/007 occasionally. BUG: kernel NULL pointer dereference, address: 00000000...
CVE-2022-48732
In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: fix off by one in BIOS boundary checking Bounds checking when parsing init scripts embedded in the BIOS rejectaccess to the last byte. This causes driver initialization to fail onApple eMac's with GeForce 2 MX GPUs, le...
CVE-2022-48793
In the Linux kernel, the following vulnerability has been resolved: KVM: x86: nSVM: fix potential NULL derefernce on nested migration Turns out that due to review feedback and/or rebasesI accidentally moved the call to nested_svm_load_cr3 to be too early,before the NPT is enabled, which is very wro...
CVE-2022-48838
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver The syzbot fuzzer found a use-after-free bug: BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320Read of size 8 at addr ffff88802b93409...
CVE-2022-48935
In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: unregister flowtable hooks on netns exit Unregister flowtable hooks before they are releases vianf_tables_flowtable_destroy() otherwise hook core reports UAF. BUG: KASAN: use-after-free in nf_hook_entries_grow...
CVE-2022-48954
In the Linux kernel, the following vulnerability has been resolved: s390/qeth: fix use-after-free in hsci KASAN found that addr was dereferenced after br2dev_event_work was freed. ==================================================================BUG: KASAN: use-after-free in qeth_l2_br2dev_worker+0...
CVE-2022-48999
In the Linux kernel, the following vulnerability has been resolved: ipv4: Handle attempt to delete multipath route when fib_info contains an nh reference Gwangun Jung reported a slab-out-of-bounds access in fib_nh_match:fib_nh_match+0xf98/0x1130 linux-6.0-rc7/net/ipv4/fib_semantics.c:961fib_table_d...
CVE-2022-49012
In the Linux kernel, the following vulnerability has been resolved: afs: Fix server->active leak in afs_put_server The atomic_read was accidentally replaced with atomic_inc_return,which prevents the server from getting cleaned up and causes rmmodto hang with a warning: Can't purge s=00000001
CVE-2022-49023
In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: fix buffer overflow in elem comparison For vendor elements, the code here assumes that 5 octetsare present without checking. Since the element itself isalready checked to fit, we only need to check the length.
CVE-2022-49239
In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd934x: Add missing of_node_put() in wcd934x_codec_parse_data The device_node pointer is returned by of_parse_phandle() with refcountincremented. We should use of_node_put() on it when done.This is similar to commit ...
CVE-2022-49369
In the Linux kernel, the following vulnerability has been resolved: amt: fix possible memory leak in amt_rcv() If an amt receives packets and it finds socket.If it can't find a socket, it should free a received skb.But it doesn't.So, a memory leak would possibly occur.
CVE-2022-49463
In the Linux kernel, the following vulnerability has been resolved: thermal/drivers/imx_sc_thermal: Fix refcount leak in imx_sc_thermal_probe of_find_node_by_name() returns a node pointer with refcountincremented, we should use of_node_put() on it when done.Add missing of_node_put() to avoid refcou...
CVE-2022-49477
In the Linux kernel, the following vulnerability has been resolved: ASoC: samsung: Fix refcount leak in aries_audio_probe of_parse_phandle() returns a node pointer with refcountincremented, we should use of_node_put() on it when done.If extcon_find_edev_by_node() fails, it doesn't call of_node_put(...
CVE-2022-49487
In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: intel: fix possible null-ptr-deref in ebu_nand_probe() It will cause null-ptr-deref when using 'res', if platform_get_resource()returns NULL, so move using 'res' after devm_ioremap_resource() thatwill check it to avoi...
CVE-2022-49591
In the Linux kernel, the following vulnerability has been resolved: net: dsa: microchip: ksz_common: Fix refcount leak bug In ksz_switch_register(), we should call of_node_put() for thereference returned by of_get_child_by_name() which has increasedthe refcount.
CVE-2022-49909
In the Linux kernel, the following vulnerability has been resolved: Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() When l2cap_recv_frame() is invoked to receive data, and the cid isL2CAP_CID_A2MP, if the channel does not exist, it will create a channel.However, after a channel is created,...
CVE-2023-52505
In the Linux kernel, the following vulnerability has been resolved: phy: lynx-28g: serialize concurrent phy_set_mode_ext() calls to shared registers The protocol converter configuration registers PCC8, PCCC, PCCD(implemented by the driver), as well as others, control protocolconverters from multipl...
CVE-2023-52559
In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Avoid memory allocation in iommu_suspend() The iommu_suspend() syscore suspend callback is invoked with IRQ disabled.Allocating memory with the GFP_KERNEL flag may re-enable IRQs duringthe suspend callback, which can ca...
CVE-2023-52702
In the Linux kernel, the following vulnerability has been resolved: net: openvswitch: fix possible memory leak in ovs_meter_cmd_set() old_meter needs to be free after it is detached regardless of whetherthe new meter is successfully attached.
CVE-2023-52738
In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/fence: Fix oops due to non-matching drm_sched init/fini Currently amdgpu calls drm_sched_fini() from the fence driver sw finiroutine - such function is expected to be called only after therespective init function - drm_s...
CVE-2023-52860
In the Linux kernel, the following vulnerability has been resolved: drivers/perf: hisi: use cpuhp_state_remove_instance_nocalls() for hisi_hns3_pmu uninit process When tearing down a 'hisi_hns3' PMU, we mistakenly run the CPU hotplugcallbacks after the device has been unregistered, leading to firew...