4037 matches found
CVE-2024-26620
CVE-2024-26620 affects the Linux kernel’s s390 VFIO AP mediated devices (vfio-ap). The issue stems from vfio_ap_mdev_filter_matrix: when a new adapter or domain is assigned to an mdev, only the APID/APQI for the new item was inspected. This could leave AP queues bound to no driver exposed to a gu...
CVE-2023-52494
CVE-2023-52494 concerns the Linux kernel bus: mhi driver. The vulnerability arises from an unaligned event ring read pointer reading 128-bit elements (struct mhi_ring_element). Although the code validates the pointer is within the buffer, an unaligned pointer could lead to DoS or ring-buffer memo...
CVE-2023-52495
CVE-2023-52495 affects the Linux kernel PMIC GLINK altmode driver (qcom) and is caused by an incomplete port sanity check. The driver supports at most two ports; a notification for an unsupported port could access memory beyond the port array, risking memory corruption. The issue is addressed by ...
CVE-2024-26936
CVE-2024-26936 affects the Linux kernel component ksmbd. The issue arises because the response buffer is allocated in smb2_allocate_rsp_buf() only after validating the request, while the patch shows that fields in the payload and the SMB2 header are used within smb2_allocate_rsp_buf(), enabling a...
CVE-2024-27000
Summary: CVE-2024-27000 is a Linux kernel vulnerability in the serial mxs-auart driver where uart_handle_cts_change() could be invoked without holding uport->lock, risking mis-synchronization. The issue is resolved by adding a spinlock around changing the CTS state. The described scenario invo...
CVE-2024-26965
CVE-2024-26965 affects the Linux kernel clk/qcom:mmcc-msm8974. The issue stems from frequency table arrays not being terminated with an empty element, which can lead to out-of-bounds traversal by qcom_find_freq() or qcom_find_freq_floor(). The fix adds a terminating empty entry at the end of the ...
CVE-2024-26955
CVE-2024-26955 is a Linux kernel vulnerability in nilfs2. The issue arises when nilfs_get_block() can return success in a state where both searching and inserting a block fail due to a race, potentially leading to a read of an unmapped buffer and triggering a BUG_ON in submit_bh_wbc() via BH_Mapp...
CVE-2024-27075
CVE-2024-27075 targets Linux kernel media/dvb-frontends, specifically the stv0367 driver. The root cause is a stack-frame growth issue (stack frame size 3624 exceeds 2048) exposed by clang/KASAN_STACK, due to temporary i2c_msg structures on the stack in stv0367ter_set_frontend. The fix reworks st...
CVE-2024-27065
CVE-2024-27065 is a Linux kernel issue affecting nf_tables: the verifier could incorrectly compare internal table flags during updates. The public advisories in connected documents reference a fix that “restores skipping transaction if table update does not modify flags,” applied as part of kerne...
CVE-2024-26951
CVE-2024-26951 (Linux kernel, WireGuard) : The bug occurs in the netlink dump when peers are removed with wg_peer_remove_all(): a cursored peer that has been removed can lead to iterating freed peers, causing a use-after-free. The fix changes the check from an empty peer_list to the dedicated is_...
CVE-2024-38629
In CVE-2024-38629, the Linux kernel’s dmaengine: idxd driver had a use-after-free risk where ida_destroy(&file_ida) could run after file_ida was already destroyed during WQ cdev teardown, risking a kernel panic. The fix removes ida_destroy(&file_ida) since file_ida is allocated on cdev open and f...
CVE-2021-46965
CVE-2021-46965 : Linux kernel mtd/physmap/physmap-bt1-rom vulnerability where casting &data to (char ) caused unintentional stack access; the fix corrects the byte offset calculation (data is u32) to prevent out-of-bounds/stacks access. Affected code and root cause are documented in the upstream ...
CVE-2024-27397
CVE-2024-27397 affects the Linux kernel nf_tables in netfilter. The root cause is a race where set elements could expire during unfinished control-plane transactions. The fix adds a timestamp field at the start of a transaction and stores it per-netns, updating the set backends’ insert, deactivat...
CVE-2024-27036
CVE-2024-27036 affects the Linux kernel CIFS writeback path. The vulnerability arises when cifs_extend_writeback() considers an extra folio but would overrun the wsize, causing the xarray scanning loop to rely on xas_pause(), which advances the counter and can skip a page. The fix is to call xas_...
CVE-2024-36904
The provided connected advisories confirm CVE-2024-36904 affects the Linux kernel TCP TIME-WAIT handling. Specifically, a race window during connect() could allow refcount mismanagement in tcp_twsk_unique() if a TIME-WAIT sk is reused with zero refcnt, potentially leading to a use-after-free. The...
CVE-2021-46969
CVE-2021-46969 affects the Linux kernel bus: mhi: core. The vulnerability arises when mhi_queue incorrectly returns an error if the doorbell is not accessible in a non-M0 state (e.g., M3). The device is awakened to M0 before updating the doorbell, and treating this as an error delayed the doorbel...
CVE-2024-26654
Summary (CVE-2024-26654) : In the Linux kernel, the ALSA: sh: aica path could dereference a freed aica_channel due to a race between mod_timer/del_timer during PCM close, causing a use-after-free (UAF). Connected advisories confirm affected kernel families include Astra Linux advisories for Linux...
CVE-2024-27398
CVE-2024-27398 – Linux kernel Bluetooth SCO use-after-free . The vulnerability stems from a use-after-free in sco_sock_timeout: after a SCO connection is established, releasing the SCO socket may schedule timeout_work, but the socket can be freed yet still dereferenced by sco_sock_timeout, leadin...
CVE-2024-27401
CVE-2024-27401 affects the Linux kernel’s firewire nosy code path. The vulnerability arises because packet_buffer_get could read beyond the user-supplied length if the head packet length exceeded user_length, potentially allowing a user-space overflow. The fix ensures the function returns 0 when ...
CVE-2024-41090
CVE-2024-41090 and CVE-2024-41091 pertain to the Linux kernel’s handling of short frames in TAP/TUN paths. The bug stems from missing verification of frame length in the tap_get_user_xdp() path (CVE-2024-41090) and in the tun_xdp_one()/ETH header handling (CVE-2024-41091), potentially allowing a ...
CVE-2021-47040
CVE-2021-47040 relates to the Linux kernel io_uring subsystem. The vulnerability stems from overflow checks in provide_buffers() for io_provide_buffers_prep(), with prior attempts not addressing the overflow/sign-extension issue. It was resolved by introducing robust overflow checks via helper fu...
CVE-2021-47014
CVE-2021-47014 affects the Linux kernel’s net/sched code, specifically the act_ct action used during IP fragment handling. The root cause was a wild memory access that occurred when a temporarily stored IP fragment was reassembled: restoring skb->cb could overwrite FRAG_CB(), causing invalid m...
CVE-2024-26610
Mode C: The CVE-2024-26610 vulnerability affects the Linux kernel’s iwlwifi component (iwl_fw_ini_trigger_tlv::data) where data is a __le32*; copying to data + offset with a byte-based offset can overflow the buffer, causing memory corruption. Connected Astra Linux advisory confirms a fix in the ...
CVE-2021-46999
CVE-2021-46999 affects the Linux kernel SCTP stack. A transport use-after-free occurs when processing a duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), where COOKIE-ACK and SHUTDOWN chunks can be allocated with the transport from the new asoc but are later sent via the old asoc after the n...
CVE-2021-47004
CVE-2021-47004 affects Linux kernel f2fs by fixing a get_victim() GC bug in CP-disabling mode. Two issues when using LFS or SSR/AT_SSR to pick a victim: (1) GC could choose a section with checkpointed data if only current-segment checks were performed; the fix adds section-level validation so a v...
CVE-2024-41091
CVE-2024-41091, in the Linux kernel, is due to missing verification of frame length in the tun_xdp_one() path. This can allow a skb with insufficient Ethernet header length to be processed, risking out-of-bounds access or header-length inconsistencies in subsequent processing. A related path (tun...
CVE-2024-26619
CVE-2024-26619 concerns the Linux kernel on riscv, where a use-after-free was introduced by the order of kfree calls during module loading. The vulnerability is resolved by reversing the free order, preventing use-after-free conditions. The available details identify the affected component as the...
CVE-2023-52482
CVE-2023-52482 is a Linux kernel issue where x86 SRSO mitigation was added to address speculative return stack overflow on Hygon processors. The connected Nessus entry for MiracleLinux 9 references kernel commits that implement x86 srso mitigation for Hygon and notes this CVE’s resolution, aligni...
CVE-2024-26617
CVE-2024-26617 (Linux kernel) : The vulnerability stems from fs/proc/task_mmu where the mmu notification mechanism was moved inside the mm lock, preventing a race with components that depend on the notifier to invalidate memory ranges. The patch tightens the notifier scope inside the mm lock, red...
CVE-2024-26616
CVE-2024-26616 affects the Linux kernel Btrfs file system, specifically the scrub path. The bug occurs when a converted ext4-converted Btrfs with chunk layout causes Scrub to split a bio and free resources twice, leading to a use-after-free in scrub_read_endio/scrub_submit_initial_read. The root ...
CVE-2023-52491
CVE-2023-52491 concerns a use-after-free in the Linux kernel’s media/mtk-jpeg driver. The issue arises from binding jpeg->job_timeout_work to mtk_jpeg_job_timeout_work in mtk_jpeg_probe and a path in mtk_jpeg_dec_device_run where an error in mtk_jpeg_set_dec_dst leads to a worker being started...
CVE-2024-26939
Summary (CVE-2024-26939) : In the Linux kernel, the DRM i915 driver’s VMA handling suffers a Use-After-Free when destroying a VMA during retirement race, leading to spurious frees of an active i915 VMA object. The root cause is a race between __active_retire() and i915_vma_destroy()/parked paths,...
CVE-2021-46955
CVE-2021-46955 affects the Linux kernel in combination with Open vSwitch. The issue arises in IPv4 packet fragmentation within ovs_fragment(), where a temporary dst_entry is misused as an rtable pointer during the ip_do_fragment() -> ip_skb_dst_mtu() -> ip_dst_mtu_maybe_forward() -> ip_m...
CVE-2021-46966
CVE-2021-46966 affects the Linux kernel: a use-after-free vulnerability in ACPI custom_method code where cm_write() could access a freed buf if count
CVE-2021-47013
CVE-2021-47013 concerns a use-after-free in Linux kernel’s net:emac/emac-mac path, specifically emac_mac_tx_buf_send. The issue arises when emac_tx_fill_tpd() errors cause skb to be freed (dev_kfree_skb(skb)), yet skb->len is still read by netdev_sent_queue(skb->len). The description states...
CVE-2021-47068
The CVE-2021-47068 entry concerns the Linux kernel NFC LLCP paths (llcp_sock_bind/llcp_sock_connect). Root cause: a refcount leak in bind/connect was fixed but introduced a use-after-free when the same local is bound to two sockets. The vulnerability is tied to the NFC LLCP implementation in the ...
CVE-2021-47017
The CVE-2021-47017 vulnerability is in the Linux kernel's ath10k_htc_send_bundle path, where a use-after-free could occur if bundle_skb is freed by dev_kfree_skb_any(bundle_skb) but later accessed via bundle_skb->len. The patch mitigates this by updating skb_len after freeing bundle_skb. Affec...
CVE-2024-26957
CVE-2024-26957 relates to the Linux kernel’s s390/zcrypt subsystem, where reference counting on zcrypt card objects was fixed to prevent a use-after-free of the zcrypt_card during hot-plug/probe/remove cycles. The issue could allow freeing a zcrypt card object while it is still in use, as demonst...
CVE-2021-46998
Summary: CVE-2021-46998 affects the Linux kernel, specifically the enic driver path in ethernet/enic. A use-after-free occurs in enic_hard_start_xmit when an error in enic_queue_wq_skb() frees a skb via dev_kfree_skb(skb), but skb_tx_timestamp(skb) may still access it. Root cause: freed skb used ...
CVE-2021-46959
CVE-2021-46959 is a Linux kernel SPI subsystem use-after-free issue (devm_spi_alloc_{master,slave}) caused by relying on the devres list during spi_unregister_controller. The root cause is that devres_find() runs after the devres list has been torn down, leading to underflow of reference counters...
CVE-2021-47058
CVE-2021-47058 is a Linux kernel vulnerability affecting the regmap debugfs path. The issue arises from a memory leak in which debugfs_name is freed in regmap_debugfs_exit() but not recreated due to a conditional added by upstream commit cffa4b2122f5. The relevant sequence involves regmap_reinit_...
CVE-2021-47028
CVE-2021-47028 affects the Linux kernel mt76 mt7915 driver stack. The issue is in tx rate reporting for mt7915e devices (cfg80211/mac80211 flow), where rate_info was not checked correctly, leading to unexpected or incorrect bitrate reporting. The connected NASL document confirms a fix in the txra...
CVE-2024-27008
CVE-2024-27008 is confirmed in the connected MiracleLinux advisories as a Linux kernel vulnerability affecting the drm nv04 driver. Description: when Output Resource (dcb->or) is assigned in fabricate_dcb_output(), there can be an out-of-bounds access to the dac_users array if dcb->or is ze...
CVE-2024-26608
The CVE-2024-26608 entry describes a Linux kernel ksmbd_nl_policy out-of-bounds read that was addressed by a patch to fix a global oob in ksmbd_nl_policy. The bug manifested as a read of size 1 at a netlink attribute parsing path, with the faulting address located in ksmbd_nl_policy+0x100/0xa80 a...
CVE-2024-26982
CVE-2024-26982 affects the Linux kernel Squashfs code. The vulnerability arises from an OOB read path in fill_meta_index() triggered by an inode number value of zero, which is treated as unused. After a faulty read aborts, an empty metadata index is invalidated with inode=0, and a subsequent read...
CVE-2024-26872
The CVE-2024-26872 vulnerability affects the Linux kernel RDMA/srpt subsystem. A race condition allows a use-after-free situation in srpt_refresh_port() when an event handler is registered before the srpt device is fully initialized. The issue can impact confidentiality, integrity, and availabili...
CVE-2024-26653
CVE-2024-26653 : In the Linux kernel, the USB ljca (ljca_auxdev_release) path double-freed the platform_data on error handling when auxiliary_device_add() fails. The issue is fixed by removing the redundant kfree() in callers and by freeing the passed-in platform_data only for errors that occur b...
CVE-2024-26954
CVE-2024-26954 (Linux kernel) is tied to a slab-out-of-bounds read in ksmbd during smb2_create_req processing. The issue arises when smb2_create_req’s NameOffset is smaller than its Buffer offset, allowing slab-out-of-bounds reads from smb2_open. The patch fixes this by enforcing a minimum value ...
CVE-2023-52480
CVE-2023-52480 affects ksmbd (SMB3 server) in the Linux kernel. The vulnerability is a race condition between ksmbd_session_lookup and ksmbd_expire_session that could lead to a use-after-free, resolved by patching with a rwsem to synchronize session lookup and expiration. The description in conne...
CVE-2021-47069
CVE-2021-47069 is a Linux kernel race in IPC paths: do_mq_timedreceive may call wq_sleep with a stack-allocated ewq_addr that can be overwritten, leading to a later access by do_mq_timedsend and a crash. The root cause is a race between the receiver’s stack address and the sender’s use of that ad...